DNS, side effects and concentration
slides-dedrws-dns-side-effects-and-concentration-00

Proposed position paper for the DEDR workshop:

DNS, side effects and concentration
Julien Maisonneuve

A naming problem
Recent attacks on the DNS have caused concerns over its safety and its ability
to resist to attacks, notably when on-path devices can be subverted. There are
several technical standards and proposals to combat the problem, but not all
manage to solve the vulnerabilities that were exposed in recent attacks. For
example hijacking DNS resolvers in badly protected home routers has proved an
extremely efficient attack vector which is hard to fix. One of the attempts to
answer the problem is DNS over HTTP (DoH, RFC8484), a way to channel DNS
requests over an encrypted HTTP channel. One of the three deployment options
for DoH is the integration of address resolution into applications, in
particular internet browsers, potentially bypassing the typical chain of DNS
resolvers (home-based, ISP,...). This option has been implemented by Mozilla
and Google in their browsers, which are used by a large share of internet
users. This solution, while easy to deploy (a handful of browser vendors can
patch their software in a few days, much of which is updated automagically),
has a number of adverse consequences:

  *   Local regulations for internet filtering through DNS filtering can be
  bypassed, wiping a key tool for legal enforcement in many countries.
  Remediation would be complex since filtering should take place in all of the
  possible resolvers, unless each country mandates specific resolvers. Some
  regulations on records keeping (e.g. UK IPA) are also being entirely
  bypassed. *   Some schemes of CDN traffic redirection based on address
  substitution can be derailed (e.g. when provided or assisted by ISPs) *   It
  potentially concentrates DNS resolution in a small set of actors (typically
  browser vendors or chosen partners), giving them key insights on the browsing
  habits of their users (though on a coarse, site-based granularity). *   Even
  if users are in control of which DOH server they use, how should they pick
  one over another ? How can one avoid concentration towards a few
  oligopolistic actors (sometimes the same usual suspects) ?
The role of ISPs, and others
There was a strong reaction against governments and ISP practises in terms of
privacy. This is understandable : ISPs are the first go-to shop for regulators
and legislators to enforce local regulations and laws, and they enjoy limited
legal headroom. In some cases, ISPs have also tried to take advantage of their
privileged position to extract added revenue (e.g. through ads). But the net
result of the end-to-end encryption debate has been a situation in which
privacy might be maintained between applications servers and their clients, but
can fail entirely in the application space. This has taken different forms,
from accidental leakage of confidential personal information to wholesale
for-profit profiling of users leading to various forms of manipulation.
Arguably, this is not in IETF's reach, but IETF's policy has given it more
weight by making https endpoints more valuable. The role of regulation and law
enforcement needs to be considered. Encryption has made ISP-level interceptions
less useful, but the same legal tools can be used towards application providers
and platforms. It is also unlikely that regulators will sit on their hands
while the tools they have relied upon (such as ISP DNS) are being bypassed.
There is a risk to trigger an arms race where technical solutions increasing
privacy lead to more and more intrusive regulation. A path towards
Concentration There are at least two main factors which play a role in
concentration: economies of scale and network effects. We are already aware
that some of the evolutions of threats over the internet have prompted
concentration of actors, notably in the space of CDN but also in security (DDos
protection,...) or DNS services. Economies of scale are an obvious factor:
providing DNS resolving for a thousand domains is not much more costly than for
a few. Conversely providing attack and DDos protection for a few sites is not
much less expensive that doing it for many. Fixed costs for development can be
more easily amortized for a larger number of customers, and variable costs for
additional service are very cheap in the cloud. Network effects apply more
selectively to different services: DNS is a simple service where not much can
be inferred from gaining additional users. On the other hand, DDoS protection
has clear benefits, more users allow to identify attacks more quickly and react
more efficiently. End-user applications have an even greater potential: the
higher you move in the stack, the more valuable information can be. Remediation
In the case of DoH, it is likely that regulators will quickly adapt to the new
paradigm (e.g. with new mandates for browser vendors). But the trend towards
concentration may not be answered. As in many other internet domains, it is
difficult to go against economies of scale or network effects armed only with
technical tools and solutions. To some extent, the way these effects
materialize is a testament to the efficiency of the protocols which have
enabled a more fluid landscape. As in other economic areas, there are few
factors weighing against concentration, and effective tools tend to belong to
the regulatory or political domain. However this is not a period where
enforcement is easily done as many actors are actively fighting against change.
Regulation can also adopt misguided targets to answer the public's concern of
the day. In Europe and elsewhere, GDPR has demonstrated that it was not
impossible to change the status quo. It went a long way to push towards (more
or less informed) consent, but the way it is being implemented can be lacking
in many respects. Its goals are also incomplete and will need further work to
ensure privacy is respected. What is lacking today is transparency, the ability
to understand what happens to your data (or rather data about you) within the
complex internet machinery and the potential consequences. And also a "safe
harbour" that would ensure people who don't want to spend too much energy on
the issue can benefit from a reasonable level of protection.

Best regards,
Julien Maisonneuve, Nokia Corporate Standards.

--
Dedr-pc mailing list
Dedr-pc@iab.org
https://www.iab.org/mailman/listinfo/dedr-pc