Sponsored By

Google Moves to Control More of the Internet

The company has said that its goal is only to create a faster Internet, which allows for more use and hence more searches and thus more revenue for them.

Larry Loeb

February 13, 2019

3 Min Read

Domain name systems (DNS) are one of the Internet's core technologies, but they are invisible to most users. They are a system that takes a URL like "www.foo.com" and turns it into the identifying numerical IP address that is needed to actually allow data transfer.

Most DNS activity is currently done by whomever the user has engaged as an Internet service provider (ISP). They maintain the servers and the lookup tables that do the translating between alphabetic and numeric.

However, there have been recent moves by Google and Cloudflare to bypass these ISP lookups by offering their own DNS resolver services.

To help in this effort, a transport protocol called DNS over HTTPS (DoH) has been developed so that one may securely ask DNS queries over HTTPS.

The DoH protocol uses HTTP and top level security (TLS) infrastructure to deliver encrypted and authenticated DNS answers that are very hard to block by network operators who are lower down on the hierarchical transmission ladder.

DOH is not perfect.

DoH shares the benefits as well as the downsides of HTTPS. It can send out more trackable and identifiable data than a regular DNS session, because HTTP supports things like headers and cookies. The session resumption characteristic of TLS can be a tracking mechanism too.

On the plus side, DOH makes it possible to push DNS answers out even before they have been asked. This could help the loading performance of a page. And the returned answers are encrypted and authenticated, as previously mentioned. That would stop anyone from hijacking a DNS name server.

DOH is what allows migration of DNS resolution to cloud entities, bypassing local system providers. If you are stuck in a location that censors what you may connect with, that may be seen as a positive aspect. If you do not trust your current DNS resolver, the protocol gives you a choice in whom you do trust to do your DNS resolution.

But -- and this is a big point -- even though the TLS connection that is set up by DOH is encrypted and private, the Server Name Indication (SNI) that is used in this connection is sent in plain text. That even happens in the latest TLS version, which is 1.3.

And this gives some users pause when thinking about how DOH may be used.

A plain text SNI can enable someone like Google to create a profile over time of websites visited. Google, when asked about this, has said that its goal is only to create a faster Internet, which allows for more use and hence more searches and thus more revenue for them. One must then trust that Google's viewpoint will not change over time, and they will not monetize this list of user behavior or perhaps block local ISP features such as ad blocking, which would interfere with their core business.

In the end, changing the way DNS is resolved will end up giving companies like Google even more control over a user's Internet experience. Whether a user is willing to trade avoidance of political censorship for commercial censorship is a tricky call.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights