Google has spawned another monster, DNS over HTTPS. Mozilla already experiments on Firefox Nightly users with sending their private data to Cloudflare, which is another one of early adopters. It’s probably time to start panicking, since that may be the future of DNS.
Brief DNS history
DNS usually works on top of UDP, though TCP is used for more important requests, and is defined even in RFC 1034 from 1987, as well as in RFC 883 from 1983. It’s pretty simple and minimal, but lacks any means for verification and encryption, allowing a variety of attacks – as early network protocols did in general. Many of those are now used on top of TLS instead of TCP, which is a relatively easy transition.
But not DNS.
DNSSEC is an ongoing (since 1990s) effort to get DNS records signed by their authors without piggybacking on X.509 PKI (which has its own issues) or anything else. Turns out it’s not such an easy task in the world where we can barely type, transmit, or display text messages, but after a few attempts they’ve got it more or less working on limited deployments. And it still doesn’t provide encryption.
A new proposal
Apparently Poettering was busy, so Google decided to step in: get the poor thing, and add the needed features, but in the worst way imaginable – if you have a good imagination, that is.
Just adding TLS would be a no-brainer, but Google had to come up with a way to make it more awkward and ads-friendly at once. So they’ve wrapped it in HTTP and in JSON, apparently targeting in-browser JS: no more simple system-wide hosts-based blocking of ads and trackers.
Then they’ve decided to have some fun with the corpse of the OSI model, by engaging into the popular activity of turning the layers inside out, and duplicating their functionality: meet random_padding
inside JSON, on top of HTTP, on top of TLS, which by itself can (and should) handle it!
Our Pimp My Code team still has a thing or two to learn from those guys.