Proposed position paper for the DEDR workshop: DNS, side effects and concentration Julien Maisonneuve A naming problem Recent attacks on the DNS have caused concerns over its safety and its ability to resist to attacks, notably when on-path devices can be subverted. There are several technical standards and proposals to combat the problem, but not all manage to solve the vulnerabilities that were exposed in recent attacks. For example hijacking DNS resolvers in badly protected home routers has proved an extremely efficient attack vector which is hard to fix. One of the attempts to answer the problem is DNS over HTTP (DoH, RFC8484), a way to channel DNS requests over an encrypted HTTP channel. One of the three deployment options for DoH is the integration of address resolution into applications, in particular internet browsers, potentially bypassing the typical chain of DNS resolvers (home-based, ISP,...). This option has been implemented by Mozilla and Google in their browsers, which are used by a large share of internet users. This solution, while easy to deploy (a handful of browser vendors can patch their software in a few days, much of which is updated automagically), has a number of adverse consequences: * Local regulations for internet filtering through DNS filtering can be bypassed, wiping a key tool for legal enforcement in many countries. Remediation would be complex since filtering should take place in all of the possible resolvers, unless each country mandates specific resolvers. Some regulations on records keeping (e.g. UK IPA) are also being entirely bypassed. * Some schemes of CDN traffic redirection based on address substitution can be derailed (e.g. when provided or assisted by ISPs) * It potentially concentrates DNS resolution in a small set of actors (typically browser vendors or chosen partners), giving them key insights on the browsing habits of their users (though on a coarse, site-based granularity). * Even if users are in control of which DOH server they use, how should they pick one over another ? How can one avoid concentration towards a few oligopolistic actors (sometimes the same usual suspects) ? The role of ISPs, and others There was a strong reaction against governments and ISP practises in terms of privacy. This is understandable : ISPs are the first go-to shop for regulators and legislators to enforce local regulations and laws, and they enjoy limited legal headroom. In some cases, ISPs have also tried to take advantage of their privileged position to extract added revenue (e.g. through ads). But the net result of the end-to-end encryption debate has been a situation in which privacy might be maintained between applications servers and their clients, but can fail entirely in the application space. This has taken different forms, from accidental leakage of confidential personal information to wholesale for-profit profiling of users leading to various forms of manipulation. Arguably, this is not in IETF's reach, but IETF's policy has given it more weight by making https endpoints more valuable. The role of regulation and law enforcement needs to be considered. Encryption has made ISP-level interceptions less useful, but the same legal tools can be used towards application providers and platforms. It is also unlikely that regulators will sit on their hands while the tools they have relied upon (such as ISP DNS) are being bypassed. There is a risk to trigger an arms race where technical solutions increasing privacy lead to more and more intrusive regulation. A path towards Concentration There are at least two main factors which play a role in concentration: economies of scale and network effects. We are already aware that some of the evolutions of threats over the internet have prompted concentration of actors, notably in the space of CDN but also in security (DDos protection,...) or DNS services. Economies of scale are an obvious factor: providing DNS resolving for a thousand domains is not much more costly than for a few. Conversely providing attack and DDos protection for a few sites is not much less expensive that doing it for many. Fixed costs for development can be more easily amortized for a larger number of customers, and variable costs for additional service are very cheap in the cloud. Network effects apply more selectively to different services: DNS is a simple service where not much can be inferred from gaining additional users. On the other hand, DDoS protection has clear benefits, more users allow to identify attacks more quickly and react more efficiently. End-user applications have an even greater potential: the higher you move in the stack, the more valuable information can be. Remediation In the case of DoH, it is likely that regulators will quickly adapt to the new paradigm (e.g. with new mandates for browser vendors). But the trend towards concentration may not be answered. As in many other internet domains, it is difficult to go against economies of scale or network effects armed only with technical tools and solutions. To some extent, the way these effects materialize is a testament to the efficiency of the protocols which have enabled a more fluid landscape. As in other economic areas, there are few factors weighing against concentration, and effective tools tend to belong to the regulatory or political domain. However this is not a period where enforcement is easily done as many actors are actively fighting against change. Regulation can also adopt misguided targets to answer the public's concern of the day. In Europe and elsewhere, GDPR has demonstrated that it was not impossible to change the status quo. It went a long way to push towards (more or less informed) consent, but the way it is being implemented can be lacking in many respects. Its goals are also incomplete and will need further work to ensure privacy is respected. What is lacking today is transparency, the ability to understand what happens to your data (or rather data about you) within the complex internet machinery and the potential consequences. And also a "safe harbour" that would ensure people who don't want to spend too much energy on the issue can benefit from a reasonable level of protection. Best regards, Julien Maisonneuve, Nokia Corporate Standards. -- Dedr-pc mailing list Dedr-pc@iab.org https://www.iab.org/mailman/listinfo/dedr-pc