DNS over HTTPS Part 1: “What’s past is Prologue”

For as long as I can remember DNS has been the backbone of the internet: The solution to, and the source of everyone’s networking problems. You don’t want to remember a litany of numbers? you can remember a domain name instead.

More often than Not, DNS is to blame. Even when you think it isn’t.

From a network security perspective, there is no network data source that is as interesting or useful as DNS logs, except maybe netflow. There is so much statistical analysis you can do with DNS logs to help you find unusual traffic patterns in your network. Often times, noticing those new and unusual domains in your logs is one of the first ways malware campaigns are detected. malware needs C2 to talk to, places to go to pick up payloads, places to communicate with to drop off exfiltrated data, and so on, and so forth.

Not only that, but from a network troubleshooting perspective, being able to see DNS queries, and responses is invaluable for determining whether or not DNS is functioning normally, pointing to the right IP address(es), having tolerable round-trip resolution times, and generally doing its job. Its a small miracle when there is a network problem that you can prove beyond a shadow of a doubt that is not DNS.

The network admin after troubleshooting DNS

This blog is probably going to be a multi-parter, and is probably going to be an image macro filled and profanity laden research journal. Because when I write about things that I’m passionate about and that concern me, I have a tendency to look into the past, the present, and the future. The last time I did this, I ended up with a 50-page research paper, and maybe after I’m done writing all this, I’ll collect it all, clean up the language, memes, and everything else, and release it as a formalized paper. Until then, this is what I’m delivering.

A brief history of computing and DNS (abridged)

In order to understand what is happening today and the future we are facing, I feel its important for us to review the past. To that purpose, I’m going to give you a very brief, abridged view of computing, how DNS came to be, and why its still here. For those of you who don’t like history or vastly simplified timelines of computing history, you’re gonna be bored. Deal with it. Anyhoo, lets get started.

The history of the computer is pretty varied. Some sites suggest that computing dates back to the invention of the punch card way back when in the 1800s, and Charles Babbage, while others believe that the history of modern computing ramps up in the 1930s. Because I’m not a history professor, and you’re here for me to rant about DNS over HTTPS at some point, I’m going to fast-forward considerably to the milestones that matter: 1969 was when ARPANET, the bigger cousin of ALOHANET, and precursor to the internet was born. 1971 was when UNIX was born from the corpse of MULTICs. This was the advent of the mainframe era, many users timesharing on a single massive mainframe computer, interfacing with that computer via distributed dumb terminals, and learning to link those networks of mainframe computers together in order to share resources — originally as a department of defense project, but later as a way for companies and universities to more easily share their research findings and resources with one another.

Even way back when in the ARPANET days, people were lazy, and didn’t want to have to remember a litany of numbers when attempting to connect from one network to another, and thus the HOSTS file was born, allowing you to substitute a hostname for a network address. Eventually ARPANET and other research networks grew too large and complicated for host files to be able to manage, and out of shitstorm mess of competing standards and shouting to “do something about it”, DNS and BIND was born in 1984, funny enough. I discovered this information by using the “Google” elder scroll, and reading about it on Wikipedia.

the best thing about writing your own blog/research is that you have the power to call Wikipedia a citable resource, mainly because Wikipedia requires its own works cited you can point to for lazy assholes who think Wikipedia isn’t a reputable data source. So much forbidden knowledge and power, now yours to cite as you see fit.

Most of you know the story from here. How computers became more affordable, the invention of the modem, letting people connect and piggyback over the POTS network, USENET and the eternal September, the dot com bubble and its inevitable burst because silicon valley promises the world and delivers a grain of sand, the rise of mobile computing, the shitshow of consumerist bullshit that Apple foists upon us and “invention” of new technologies — because they’re not really invented until Apple says so, and in this last decade, the rise of cloud computing, and consolidation of computing services and resources. Everything old is new again.

Consolidation of Resources, Return of the Mainframe Era, “The Good Old Days”

I have this unfounded theory that the reason most of the computing resources in our world are being gathered into the hands of the few is that the majority of old fogies, boomers, and their kin grew up in the era of the mainframe, and idea of having all of their computing resources and stuff under one roof that they themselves don’t have to worry about is a callback to the days of yore with dumb terminals connected to a mainframe somewhere that the nerds have to care for and Not Me(tm). With cloud computing, Every goddamn thing you do is billable, so we’ve even seen the return of timesharing, and how every CPU cycle is now billable. God fucking damn you people.

This is rampant and bullshit speculation, though and since this is my blog this Is Perfectly Fine(tm) for now.

Why Consolidation of services and resources is remarkably stupid

We are living in an era where where a large number of both start-up and well-established organizations and companies have gleefully handed over their core infrastructure and control to shape the internet as they see fit to a handful of conglomerates. DNS is no exception. Everybody tells you to use Google’s DNS service, or Cloudflare DNS, or Quad 9. Don’t bother rolling your own. Its like everyone forgot what happened when Dyn’s DNS servers got taken out by an IOT botnet a few years ago. In case you forgot, half of the fucking internet went down. But sure, fuck it, keep on consolidating your services and defeating the purpose of the internet, as well as network and service autonomy, because administering your own stuff is hard. The cloud offers five nines uptime, and also doesn’t immediately make it clear when you’re exposing all of your customer data to the world. I mean, this is essentially the business model of Cloud Services the World Over: You don’t know what you’re doing, let us manage that shit for you. For money.

Gief Moni Pls.

To wrap this subsection up in a nutshell, The cloud has its purpose. Sometimes that purpose is to prop up start-ups that are hoping to last until they get swallowed (bought out) by a bigger fish, who can’t afford dedicated administrators and security staff to keep their shit together till then. In other cases its purpose to enable developers to fail fast, never iterate, and deliver “works on my machine” in record time. And In some other cases, it is to provide large companies infrastructure or scaffolding that they forget about until its the root cause of a massive data breach some time later.

But also, its dropping all of your eggs into one basket and hoping for someone to not come along and either take down your network link (intentionally, or unintentionally — thanks comcast) to where all of your services actually live, or attack and take down the service provider itself with a botnet of internet connected potato peelers. Welcome to the future.

We Care about your Security and Privacy, until we actually don’t

In addition to our modern era of service and resource consolidation, we’re letting companies with some of the shittiest track records known to man be in control of this consolidated infrastructure. I mean, Amazon is a company that treats their warehouse workers like trash. Google is a company that coined the term don’t be evil, unless its better to quietly be evil. Or hell, overtly evil, so long as there is enough money involved. Cloudflare has no qualms about giving your abuse claim contact information to abusers, or begrudingly dropping service for hate sites under the guise of “freeze peach”, but really they were just mad because white supremacist money is money all the same to them.

These companies having shitty track records are combined with computer security professionals living with paranoia in a post-snowden world in which we’re told to wrap everything in SSL, because the Intelligence Community is coming for you, and your data. I’m not here to tell you that your paranoia is unjustified, but I am here to tell you that trusting companies that tell you to use their VPN (that really isn’t a VPN) probably isn’t The Way Forward(tm). Every security company takes security and privacy seriously (until they get breached), and I feel as though The Grugq said it best when He stated in his talk/slide deck “Opsec for Hackers“, that nobody is going to jail for you. To further clarify on that point, a lot of these services claim to protect your privacy, and also claim that they aren’t logging anything, until you find out they were served National Security Letters, or the FBI paid them a visit and seized their servers. Surprise!

Your DNS Queries are private, Until they actually aren’t.

If you’re for looking DNS-specific context, several of these companies claim to be doing nothing with those DNS queries you’re making. Since google’s two business models are selling ads and collecting information, we know this is bullshit, and they’re not shy about telling you “yup we definitely hold on to your shit.” But when it comes to Cloudflare’s quad 1 DNS service, there are some fine details to be aware of. They don’t log your source IP address, but they log everything else for at least 24 hours. Lets take a look at Quad 9’s privacy policy. Yup, turns out that they hold on to your queries too.

Now, I will say that its kinda neat to have a DNS service that protects you against threats by filtering the DNS queries and just fuckin’ null routing them as soon as they know they’re bad, but the problem is that these companies and services all claim to be safeguarding your privacy. They can’t be your network nanny without violating your privacy, because that’s how DNS inspection works. Its a contradiction in my books.

Conclusion Part I: “Collecting Telemetry is okay for me, but not for thee”

If there is anything you get from this first post on this subject, let it be the following:

1. Network resources and services are being consolidated from the hands of the many to the hands of the few. Not unlike how it was in “The good old days” that boomers always refer to. People are okay with this, because it means less work on their part. And the companies controlling the computing resources are okay with it because it means everything is billable. Follow the money

2. You can’t claim to value the privacy of your customers while simultaneously collecting data about where they are going and what they are doing. You can’t claim to be a more secure DNS provider AND a more private DNS provider. Pick one.

3. With most of these DNS providers moving from standard DNS services, and/or recommending DNS over HTTPS as a more privacy conscious solution (which we’ll definitely get to later), and web browsers choosing to opt-in to this bullshit by default, regardless of what system administrators and network security personnel want, you’re creating massive blind spots that make both threat hunting and network troubleshooting much more difficult for the rest of us. You’re essentially say its okay for us to have this data, but you filthy commoners cannot be trusted with it. It is for us, and us only. Not only that, you’re telling application developers that applications which override the operating system defaults are A-OK, which is just lovely.

I’m far from done talking about this subject, but I’m going stop here. We’ll pick back up on this a little later. The weekend beckons and I have things I wanna do.