Towards a less intrusive DNS

Afnic is working, among others, with the Council of European National Top Level Domain Registries (CENTR) and the Internet Engineering Task Force (IETF) on enhancing the protection of privacy for DNS users.

The DNS is a little known but crucial element of the Internet infrastructure. Given the current widespread concerns about privacy, the relation between the DNS protocol and privacy is being examined in closer detail. Every Internet user makes wide-scale use of the DNS, even if they are not aware of doing so and know nothing about the DNS or domain names. Whenever a user sends a message or clicks a hyperlink, and whenever their computer updates its software programs, a DNS query (and frequently many more than one) is sent. But whereas the privacy issues related to the HTTP Web protocol have been discussed at length (consider the discussions surrounding "is the explicit consent of the user a prerequisite to placing cookies?" or "is the IP address a nominative data?"), those related to the DNS were first ignored, and then only studied within a small circle of experts, mainly within the IETF. The upcoming release of the RFC "DNS privacy considerations" will be the first official sign of that interest.

What precisely are the privacy issues raised by the DNS? Imagine that you log onto the website of Alcoholics Anonymous. You enter the domain name, or select it as a bookmark or find it using a search engine. In each case, your Web browser will issue a DNS query to find the information associated with the domain name. The managers of the DNS servers that process the query and any third parties who spy on the network will know what you do on the web, which might not please you. Of course, the HTTP connection itself will also reveal things about your visit. But there are two specific reasons for considering the role of the DNS: the first is that the other protocols are gradually being secured against surveillance, and that the DNS, if nothing is done, could become the "weakest link" in privacy; the second is that the DNS involves other stakeholders. For example, if a French resident visits a French website, they may feel that foreign stakeholders cannot keep track of their activities, since apparently everything takes place on French territory. But that "security analysis" is too succinct. If, for example, the website has a name under the .com TLD, the DNS queries are processed and observed by American servers, although the client and HTTP server are both in France.

Note that we are referring here to the necessary confidentiality of the queries. The data are much less of a problem since they are public. In other words, it is not the IP address of Alcoholics Anonymous that should be kept confidential, but the fact that Mr. Jones has requested it.

We must therefore strengthen the protection of privacy in the DNS. Afnic has been involved in this process since its inception, first within the CENTR and then within the IETF, and has been a driving force in the process even before Edward Snowden's revelations, since the work began at the General Meeting of CENTR in Amsterdam in June 2013. The IETF meeting in Vancouver in November 2013 was an opportunity to transfer this task to the main Internet standards body.

The usual method for improving the protection of privacy is in two steps: minimize the amount of data sent, and encrypt the transfer. The first solution protects against indiscreet servers among other things, the second against a third party who may be eavesdropping on the network. These two approaches are both necessary, since they do not protect against the same opponents.

Today, three tasks are being carried out by the IETF:

1. documenting the issue: this will be the role of the future DNS privacy considerations RFC mentioned above. There may not be any perfect technical solutions, but at least a reference document on the issues related to the DNS will be available to the Internet stakeholders who perform security analysis. The following two tasks focus on the solutions (the two steps I mentioned above)
2. encrypting DNS traffic, as far as possible. The technical issues involved are being hotly discussed, with several solutions proposed. Once adopted, the solution selected will be deployed in all of the DNS servers, including the resolvers and authoritative servers (such as those managed by Afnic).
3. minimizing the amount of data sent, by no longer sending the full query to all of the servers (including those of the root zone). Today, if Mr. Jones issues a DNS query for tracker.thepiratebay.se, the root servers (and all other DNS servers involved) see the full query when it would be enough to ask them about the .se name servers since they only know the TLD. This is the mechanism suggested by the future "QNAME minimization" RFC. Once adopted, it should be deployed in a particular category of DNS servers, the resolvers.

As was said before, Afnic has been a pioneer in this task and will continue to make every effort to see it is completed.