The Internet threatens to lose its character as a universal communication platform. According to experts such as Geoff Huston from the Asia-Pacific Internet Registry APNIC, the greatest danger is not the concentration of DNS resolution on a few corporations, but rather the fragmentation on various protocols and client applications. Such a fragmentation arises from the Moving the DNS name resolution to the applicationsHuston warned recently at the IP address administrators meeting.
The concentration of many DNS queries with only a few resolver providers is not a major risk factor in his opinion, Huston explained to heise online. The Australian has been measuring the spread of individual protocols and the market power of the major platforms for many years. In the manageable field of open DNS resolvers According to Huston’s latest measurements, one person is enthroned above all: Google.
DNS from Google
Around 15 percent of the recorded initial inquiries for a domain let the surfers knowingly or unconsciously answered by Google’s resolver farms. These can be reached worldwide under the IPv4 addresses 126.96.36.199 and 188.8.131.52 as well as under the IPv6 addresses 2001: 4860: 4860 :: 8888, 2001: 4860: 4860 :: 8844. And if the first attempt to access a domain fails, a combined total of almost a third of the observed clients rely on Google’s service.
There are, of course, major continental and country-specific differences. Surfers in many Asian and African countries rely almost exclusively on Google’s DNS service. The group has its largest user group in sovereignty-obsessed India, of all places. Indians alone make up a fifth of Google’s total DNS user base.
With mobile internet in particular, users often fall back on the free open resolver. The Android operating system shovels massive amounts of traffic into Google’s resolvers, Huston concludes. From his point of view, the increasing centralization in answering DNS queries ultimately only reflects the concentration of the underlying Internet infrastructure.
The fact that many people use Google directly or indirectly should be considered problematic, Huston replied when asked. “Google sees a lot of secrets from users. But when we look at Gmail, Google Docs, and the ubiquitous search, DNS is almost a marginal problem,” Huston notes.
Name resolution migrates to the apps
From his point of view, the much greater risk factor is the switch to DNS-over-HTTPS (DoH). With DNS encryption, the app developers have the choice of who they send the DNS requests to. An example of this is Mozilla’s Firefox browser, which generally uses DoH on installations in the USA and sends the DNS queries from Americans to Cloudflare. This is partly due to the history of the protocol, because Mozilla and Cloudflare have worked together on it from the start. But the concentration of Firefox-generated DNS queries at Cloudflare is also due to the fact that many providers who have previously resolved unencrypted DNS queries as part of their Internet offers for customers do not yet operate any encrypting resolvers.
“This is a fundamental change in DNA,” says Huston. “In the future, the DNS request will no longer be part of the general infrastructure, but will become an application-specific service”. It is not possible to predict which app will use which request protocol (DNS-over-HTTPS, Oblivious DNS-over-HTTPS, …) and you can no longer expect the DNS responses to be consistent across different applications. Therefore, one could rightly speak of a fragmented namespace.
Lars Liman from the root operator Netnod shares this view and concern. If the web browser on the laptop uses a certain resolver, but the mobile phone and the calendar app each use a different one, then the consistency suffers, explained Liman to heise online.
“This could give various organizations a tool to steer users on the Internet in one direction or the other,” said Liman, and not everything has to be done with good intentions. “I think we are on the way to a new Internet in which the result of a domain query will depend on where you are on the Internet.”
The good intention of hiding DNS queries from prying eyes is as understandable as the impatience of the app industry to wait for DNS resolvers to be retrofitted by providers, according to Huston.
When asked why the rushing ahead of the app operators must go hand in hand with the abandonment of the uniform namespace, Huston replies with the counter-question: Why should those who support an app-based name infrastructure save the old DNS namespace into the new world? Local, non-DNS related names, could be a natural evolution. Such names assigned within the app could be quick, secure and invisible to everyone else, says Huston, but they would no longer be universal.
But when an app cannot reach a target domain, troubleshooting becomes a detective game. Assuming good error messages or sufficient intuition, the user can direct the DNS problem to the app manufacturer. Users who see the DNS service as the responsibility of the provider can also contact the provider’s hotline. However, it may not be able to reproduce the problem at all because the app is not available to it. Or it can try to understand which app is causing DNS problems and which resolver the app developer has chosen. Is the questioned resolver subject to a certain jurisdiction that blocks certain domains? Or did the resolver just fail with a defect? In any case, the search for the cause can be tricky and it is questionable whether providers even want to take on the effort.