{
  "id": "IN11182",
  "type": "CRS Insight",
  "typeId": "INSIGHTS",
  "number": "IN11182",
  "active": true,
  "source": "EveryCRSReport.com",
  "versions": [
    {
      "source": "EveryCRSReport.com",
      "id": 606367,
      "date": "2019-10-16",
      "retrieved": "2019-10-21T22:20:28.304250",
      "title": "DNS over HTTPS\u2014What Is It and Why Do People Care?",
      "summary": "Internet pioneer David Clark said: \u201cIt\u2019s not that we didn\u2019t think about security. We knew that there were untrustworthy people out there, and we thought we could exclude them.\u201d Those who created the internet were focused on enabling the utility of the network, and a repercussion of their design decisions is that internet security is not inherent but must be retrofitted. Efforts to change one of the internet\u2019s hardwired insecurities\u2014the Domain Name System (DNS)\u2014are ongoing but will be disruptive.\nHow We Get to Websites Today\nWhen someone wants to visit a website, they type the web address into their browser, and the website loads. DNS is one of the many protocols needed to make that work. Many call DNS the \u201cphonebook of the internet\u201d: it takes the user-readable web address and sends that information to a DNS resolver. The resolver retrieves the internet protocol (IP) address of the website (i.e., the network address of the server that hosts the website) and returns that information to users\u2019 computers. Knowing where to go, the browser then retrieves the website. Most users receive DNS resolver services from their internet service provider (ISP), but some choose to use another service. For instance, some businesses choose to use a resolver that provides additional security or filtering services. \nToday, DNS queries are generally sent unencrypted. This allows any party between the browser and the resolver to discover which website users want to visit. Such parties can already monitor the IP address with which the browser is communicating, but monitoring DNS queries can identify which specific website users seek. As more services move to cloud computing infrastructure, this distinction becomes increasingly important, because multiple websites may be consolidated under a few IP addresses, rather than each having a unique IP address. \nUses of DNS Query Data\nInformation extracted from unencrypted DNS queries can be used for a variety of purposes. Network providers can determine the geographically closest instance of a website users are seeking so the content can be delivered faster. Using filters, employers can block workplace access to gambling websites, and parents can block their children from accessing adult websites at home. ISPs use DNS queries to comply with law enforcement requests for records of users\u2019 internet activity. DNS query information can also be used to profile users\u2019 online behavior for purposes such as providing targeted advertising. \nWeaknesses of DNS Queries\nUnencrypted DNS queries may be intercepted or manipulated without users\u2019 knowledge. An eavesdropper\u2014e.g., the owner of a Wi-Fi router or party in the ISP infrastructure\u2014can see where users seek to browse, even if the content delivered from the website is encrypted. DNS queries can also be hijacked to divert a user to a malicious website instead of the intended website. In 2019, the U.S. Department of Homeland Security (DHS) issued its first emergency directive to federal agencies in response to a DNS hijacking campaign. \nEncrypting DNS Queries\nDNS over HTTPS (DOH) changes how DNS queries are sent. DOH encrypts DNS queries as web traffic, instead of sending them as clear text. If DOH is in use, the content of a DNS query is visible only to the users\u2019 browsers and the DNS resolver, not to third parties between them on the network. Google and Mozilla recently announced they will move to DOH for their Chrome and Firefox desktop web browsers. Statcounter estimates that Chrome has 65% of the U.S. desktop browser market and Firefox has 8%. \nGoogle\u2019s Chrome Approach\nStarting with Chrome version 78 (scheduled for release on October 22, 2019), Google will enable DOH for users who have opted to use an approved resolver. Google will not change users\u2019 choice of resolver, so the user experience should be unaffected. For example, content filtering by employers or parents should continue to work. If DOH fails, Chrome will revert to the original DNS resolver. Chrome users can choose to opt out of DOH in the browser. \nMozilla\u2019s Firefox Approach\nFirefox has supported DOH since 2018, but beginning in September 2019, Mozilla began switching U.S. users to DOH by default. To do this, Firefox uses Cloudflare as its DNS resolver, although users can change this. Mozilla is deploying DOH in \u201cfallback mode\u201d\u2014if the browser detects that business filtering or parental controls are present, it will automatically disable DOH and use the original DNS resolver. Firefox detects the presence of filtering via \u201ccanary domains\u201d that seek to load test websites. If the test website doesn\u2019t load, Firefox does not activate DOH and falls back to users\u2019 original choice of DNS resolver. Firefox users can choose to opt out of DOH in the browser.\nChanging the Status Quo\nControversy soon followed the companies\u2019 announcements to move to DOH, according to media reports. \nOne concern is that DOH inhibits content filtering controls. Indeed, Mozilla opted not to deploy DOH in the United Kingdom because of this concern. Measures such as user selection and canary domains may help to address this.\nAnother concern is that DOH will complicate content delivery to users. Today, content delivery networks (CDNs) host multiple instances of web content on geographically dispersed servers. This creates resiliency for web services and helps to deliver content to users more quickly. If ISPs lose the ability to view users\u2019 DNS queries, they will still be able to route users to a CDN, but not necessarily the closest or most efficient CDN. Technical measures that may alleviate this concern include sharing some user data (like general geolocation data) and CDN load management tactics. \nComplying with law enforcement requests for DNS query information will change if ISPs no longer have visibility into that data. Law enforcement agencies could request the information from DNS resolvers instead, but will need to know which resolver customers use in order to present their request, and the resolvers may not retain the necessary records.\nOther potential implications of DOH implementation involve issues such as international data flow and advertising competition.",
      "type": "CRS Insight",
      "typeId": "INSIGHTS",
      "active": true,
      "formats": [
        {
          "format": "HTML",
          "encoding": "utf-8",
          "url": "https://www.crs.gov/Reports/IN11182",
          "sha1": "4827a97cc05f573aefb1599f7efb4ad2d1b53b7a",
          "filename": "files/20191016_IN11182_4827a97cc05f573aefb1599f7efb4ad2d1b53b7a.html",
          "images": {}
        }
      ],
      "topics": [
        {
          "source": "IBCList",
          "id": 4794,
          "name": "Science for Security"
        },
        {
          "source": "IBCList",
          "id": 4820,
          "name": "Cybersecurity"
        },
        {
          "source": "IBCList",
          "id": 4871,
          "name": "Telecommunications & Internet Policy"
        },
        {
          "source": "IBCList",
          "id": 4916,
          "name": "Technology & Innovation"
        }
      ]
    }
  ],
  "topics": [
    "CRS Insights"
  ]
}