Skip to main content
banner image
venafi logo

The Fight over DNS over HTTPS

The Fight over DNS over HTTPS

November 19, 2019 | Guest Blogger: Kim Crawley

As you may be aware, tech and telecommunications companies have been battling over user privacy in many different ways. We all use the web these days. Plus a lot of very sensitive data travels through the web—medical data, financial data, access to your IoT (Internet of Things) devices, you name it. The web isn’t just traditional websites anymore. And DNS (domain name service) isn’t just for the web, either. DNS is vitally important for your email, and many other internet services. DNS technology makes the internet a lot more user friendly, so we can use memorable domain names like, rather than having to memorize IP addresses for the sake of user input.

DNS uses a lot of information that can be useful for tracing a user’s internet use. A lot of the data we send over the internet is very sensitive, and it can also help cyber attackers to harm us. It’s crucial for the sake of your rights as a human being, and perhaps for your business’ own autonomy, to keep at least some data private. There’s been recent news about a particular battle over data privacy, and you really ought to know about it.

The importance of DNS cannot be overstated. When the Mirai botnet struck crucial DNS servers in October 2016, millions of Americans couldn’t use the internet at all. So, securing DNS is vital. In doing so, we need to protect not only user privacy but also protect DNS servers themselves from some man-in-the-middle attacks.


DoH, Browser and ISPs

DNS over HTTPS was introduced in October 2018, a little over a year ago. Whether or not your DNS transmissions are for the web, tunneling DNS through HTTPS web encryption can protect your internet traffic from man-in-the-middle attacks and your overall user privacy if it’s implemented properly. Plus, by using already existing TLS web technology, it can be an inexpensive and efficient way of boosting your online security.

Google Chrome and Mozilla Firefox are both working on implementing DNS over HTTPS in their future web browser releases. If DNS over HTTPS is deployed through a major web browser platform, ISPs will have a harder time tracking how their users use the internet. One major ISP, Comcast through their Xfinity brand, would rather deploy DNS over HTTPS themselves. If you’re mistrustful of Comcast, then you’d probably prefer that the web browser platforms handle DNS over HTTPS instead. Anyway, Comcast insists that they do their best to protect user privacy. From their website:

As your Internet Service Provider, we do not track the websites you visit or apps you use through your broadband connection. Because we don’t track that information, we don’t use it to build a profile about you and we have never sold that information to anyone.

We do not sell, and have never sold, information that identifies who you are to anyone. We also don’t sell, and have never sold, your location data when you use our Xfinity Mobile service.

We delete the DNS queries we have as an Internet Service Provider every 24 hours.”

Make of that what you will.

Data Monopoly?

Comcast argues that if Google handles DNS over HTTPS through their Chrome platform, they’ll have a dangerous monopoly over user data. Comcast claims that Google’s interest in handling DNS over HTTPS would alter the decentralized nature of the internet's architecture, and give the corporation an unfair advantage.

In their defense, Google says that DNS over HTTPS will be optional for Chrome users. Chrome users will have a choice about whether or not they trust Google with that information, and they will easily be able to change their DNS over HTTPS provider in their browser settings, quite like how you can change your default search provider in Chrome to Google, DuckDuckGo, Bing, or something else.

Mozilla is also doing their best to fight for user privacy. User privacy is a key selling point for their Firefox web browser. The battle has heated up to the point that Mozilla sent a letter to US Congress on November 4th. Here are some of their key points:

“We are writing to express our concern about the privacy and security practices of intenet service providers (ISPs), particularly as they relate to the domain name services (DNS) provided to American consumers. Our recent experience in rolling out DNS over HTTPs (DoH)—an important privacy and security protection for consumers—has raised questions about how ISPs collect and use sensitive user data in their gatekeeper role over internet usage. With this in mind, a congressional examination of ISP practices may uncover valuable insights, educate the public, and help guide continuing efforts to draft consumer privacy legislation.

During the last two years, Mozilla, in partnership with other industry stakeholders, has worked to develop, standardize, and deploy DoH, a critical security improvement to the underlying architecture of the internet. A complementary effort to our work to fight web tracking, DoH will make it harder to spy on or tamper with users' browsing activity and will protect users from DNS providers—including ISPs—that can monetize personal data. We believe that such proactive measures have become necessary to protect users in light of the extensive record of ISP abuse of personal data.”

Mozilla’s implementation of DNS over HTTPS in Firefox would be done by them by default. That is, if they’re allowed to do it in the wake of the battle with internet service providers.

This fight is very exciting to watch. And the outcome will affect all of us, for years to come. Who do you trust to encrypt your data? And how much choice do you want to have in that process?


Related posts


Like this blog? We think you will love this.
attaques de décapage ssl
Featured Blog

En quoi consistent les attaques SSL strip ?

  Un peu d'histoire

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more