What is DNS over TLS?

Web browser manufacturers Google and Mozilla have been taking heat lately for wanting to implement a technology called DNS over TLS. This is an important technology, so let’s talk about what DNS over TLS does and why you need it.

An increasing amount of our communications online is encrypted, which keeps other people from snooping on what we do. Not encrypting our traffic to DNS, which is the Internet’s phone book, makes it possible to see who we’re communicating with online, even though the communications themselves aren’t visible. DNS over TLS seeks to close this huge privacy gap. When your operating system says your connection is secured, it’s only talking basic security.

Why unencrypted DNS is a problem

What is DNS over TLS?
There was a time when we valued a reasonable amount of privacy over corporate profits. DNS over TLS is something we need to bring that back.

DNS acts like the internet’s phone book. Rather than having to remember a numeric address that varies in length from 4-12 digits for every website, it allows you to type human-readable names instead. It’s one of several innovations that made the Internet more useful as it grew in the 1980s and 1990s.

TLS, meanwhile, is a common form of encryption. When you’re making a purchase online, TLS is what keeps someone from stealing your credit card number after you enter it and press the submit button.

The problem with not encrypting DNS is it’s a privacy sieve. If you can see what addresses my computer is looking up, then you have a pretty good idea who I do business with, and how frequently. If you never see me resolve the address bankofamerica.com, that pretty much tells you I’m not a Bank of America customer.

That in itself might not be a huge deal to you. But do you care how many people know how many times you’ve visited preperationh.com? That you might. I mean, there’s a company that advertises during baseball games all the time whose whole business model is based on putting you in touch with doctors from the privacy of your home, and shipping you medicine in discrete packaging that doesn’t jump out and scream that you have a certain medical issue.

Well, your Internet provider knows you have that condition, and they’re perfectly willing to share it with other advertisers.

Why DNS-based ad targeting is so effective

Back in 2015, I was minding my own business, but I needed a car. I was working from home and had 30 seconds to check on something, so I checked the local Toyota dealer’s inventory from my work computer. And that day, I started seeing ads from Toyota, that dealer, and competing dealers on my personal computer and every other device in my house that can show advertising. None of these devices ever talked to my work computer. But since they all came from the same house, my Internet provider tipped off every Toyota dealer in town that I might be in the market for a Toyota and started pounding me with ads.

DNS is one of the few technologies that can jump across devices. This makes it an advertiser’s dream, of course. It means when my wife and I sit down to watch Saturday Night Live on Hulu, they can inject ads based on stuff they’ve seen us look at that weekend.

But the downside is, there’s no longer any such thing as the privacy of your own home anymore. Your ISP has a dossier on you, stashed away in some database somewhere. And you have no right to see what’s in it, correct any mistakes in it, or opt out.

The problem DNS over TLS solves

DNS over TLS cuts this off at the pass, because it stops ISPs from being able to see what queries we’re sending out, especially if we use a DNS other than the slow, unreliable DNS they operate. It means my ISP no longer knows if or when I’m shopping for a Toyota, and it doesn’t know when I have a headache. That’s a good thing. Those things aren’t any of the electric company’s business, or any of the water company’s business, so why should my ISP have a right to know those things?

Encrypting your DNS traffic probably won’t completely stop your ISP from figuring out what companies you’re talking to online, but it makes it much harder. It forces them to sift through all of your web traffic, instead of a specially labeled portion of it. And make no mistake: they’ll do it. But they don’t want to spend the money. It’s much cheaper and easier for them to paint Google and Mozilla out as villains trying to destroy the free world.

The problem with DNS over TLS

DNS over TLS does create one problem. It makes content filtering much more difficult. So if you need to block certain types of web sites, you have to find other ways to do it. But that’s certainly solvable. Cleanbrowsing.org is a fantastic filtering service that works just fine over TLS.

Are Google and Mozilla overstepping their bounds?

Realistically, I think DNS over TLS belongs in the operating system, not the web browser. That way, the benefit extends to every application running on the computer, not just two web browsers. Probably Google and Mozilla agree with that. But the only major OS vendor who’s implemented this is Google, and if your phone vendor or phone company is blocking that update, you’re out of luck. Since Apple and Microsoft are dragging their feet, I’m glad Google and Mozilla are trying to force the issue.

If you found this post informative or helpful, please share it!