How DNS over HTTPS is Reshaping Privacy, Performance, and Policy in the Internet Ecosystem Kevin Borgolte, Tithi Chattopadhyay, Nick Feamster, Mihir Kshirsagar, Jordan Holland, Austin Hounsel, Paul Schmitt Princeton University and The University of Chicago Abstract third party. This change has fundamental implications for performance, competition, and privacy in the Inter- Internet communication relies on the Domain Name net ecosystem. From the performance perspective, a System (DNS), which maps a human-readable Internet shift to DoH would potentially impede the performance destination to an IP address. A recent proposal for trans- of conventional DNS lookups while accelerating the mitting DNS over HTTPS (DoH) enhances client pri- performance of content delivery when the content is co- vacy by tunneling DNS over secure HTTP (HTTPS). In located with the DoH resolver. This scenario is already this paper, we explore the policy implications of con- the case today, where many DoH operators also operate solidated DoH by systematically analyzing the market- content delivery networks (CDNs). This mode of oper- place, measure its performance effects, and investigate ation may result in better performance for content that how it affects the different stakeholders, including con- is hosted on these CDNs, effectively rekindling certain sumers. We enumerate the agents in the marketplace aspects of net neutrality, where content hosted by some as well as their market incentives. We then examine parties is practically delivered with better performance the performance of DoH through client-based measure- than others. ments compare unencrypted DNS with DoH. As DoH Encrypted DNS traffic would also seem to improve deployments change the competitive landscape of the privacy, but the net effect of DoH is ultimately a change market, we explore their effect on other operators, ISPs, whereby a single party can observe and monetize DNS and broadband access at the last mile, as well as the po- traffic, where monetization might take many forms, tential regulatory and policy implications of DoH de- ranging from the ability to more efficiently deliver ployments. content to the ability to deliver targeted advertising. DoH also has implications for competition dynamics 1 Introduction amongCDNs: certainCDNs use client localization tech- niques based on the location of the client’s DNS re- Essentially all Internet communication relies on the solver. In some cases, DoH makes this type of client lo- Domain Name System (DNS), which maps a human- calization more challenging, meaning that these CDNs readable Internet destination to an IP address before would face significant operational costs merely to stay two endpoints can communicate. Today, most DNS competitive. Whoever controls DNS controls client queries and responses are transmitted in cleartext, mak- mapping to content, increasing the potential for anti- ing them vulnerable to eavesdroppers and traffic anal- competitive behavior in content delivery. For example, ysis. To mitigate some of these privacy risks, ongo- a DoH operator could degrade the performance of con- ing work in both standards bodies and browser imple- tent delivery from competitors—possibly unintention- mentations transmits DNS over HTTPS (DoH) between ally, through suboptimal server mapping—possibly in clients and third parties who operate DoH resolvers. difficult-to-measure ways. Finally, the consolidation of Encrypting DNS transport offers certain privacy ben- DNS resolution that would result from a small number efits, but doing so entails various architectural changes. of DoH providers creates the potential for surveillance, Namely, the default operators of DNS, once largely censorship, manipulation, control, and coercion. Internet service providers, become content providers, In this paper, we explore the policy implications of content delivery networks, and essentially any other DoH by measuring its performance as compared to 1 conventional DNS, analyzing the marketplace dynam- ment and use this protocol because of collaborations ics, and investigating the implications of architectural and ties with CDN operators, who also operate DoH re- refactoring on regulatory policy. We first explore the cursive resolvers. Although the agents involved in DoH competitive landscape, including the incentives of vari- are the same as for conventional DNS, the agent deliver- ous stakeholders, from ISPs to CDNs. We then compare ing the domain name resolution service is no longer the conventional unencrypted DNS to DoH using multiple ISP, and the features and characteristics of the service DoH providers and while varying the network perfor- have changed. This causes the interdependencies and mance conditions. We then explore various policy im- relationships between the agents to shift. These chang- plications. As DoH deployments can change the com- ing interdependencies have an effect on overall market petitive landscape of the market, we explore their im- structure. pact on other operators, ISPs, and broadband access at the last mile. Finally, we explore the potential regula- 2.1 Competition and Adjacent Markets tory and policy implications of current and future DoH deployments. Direct Competition. Traditional DNS resolvers op- erated by ISPs will be directly affected as they use DNS traffic analysis to enable parental control and malware 2 Market Structure and detection and among some of their offerings. Current Competitive Landscape DoH implementations through web browsers and third party CDNs is in direct competition with ISPs because A client or the user that wants to access a particular the older protocol is primarily run by ISPs. DNS queries type of content, or application, does so by searching a that are now resolved through cloud services, as in DoH, domain name. These domain names then need tobe directly compete with traditional ISPs that previously mapped to IP addresses. Every device connected to handled the resolution process. the Internet has a unique IP address and the process of translating domain names to the IP address involves Consequences for Adjacent Markets (particularly several different steps that are often performed bya ISPs and CDNs). Several of the agents involved in DNS resolver. Traditionally, DNS resolvers have been implementation of the DoH resolvers have tie-ins with managed by the user’s ISP, and the process could often third party CDNs or operate in adjacent markets. These involve making repeated requests until the IP address relationships lead to potential uses of monopoly lever- is identified. In some cases this process is simplified aging in the adjacent market. In markets where the by temporarily storing data closer to the client (DNS same provider operates in multiple complementary caching). Caching can be done at the ISP’s resolver, the markets, it is possible that the provider can sustain loss user’s system, and the browser level. CDNs also play an of revenue in one market while they build up their cus- important role in storing data closer to the client to im- tomer base because of their ability to use their presence prove performance and process queries faster. The pro- in the adjacent highly concentrated market to recover cess of DNS resolution involves the following agents: some of these losses. In cases where agents described theclient/usermakingtherequest, thewebbrowser, the above operate in multiple markets, it becomes critical operating system, the ISP (that carries out DNS resolu- to observe revenue generation strategies employed in tion), the content provider, and possibly a CDN. other markets to squeeze out competition in a new mar- The DNS queries transmitted to and from the ISPsare ket. often unencrypted and insecure. Prior work has demon- Several existing studies explore how complementary strated that DNS queries can make users susceptible to products can be used to preserve and create monopolies eavesdropping and tracking [11]. These potential pri- in the future and in emerging markets [3]. Their analy- vacy risks have resulted in recent developments that in- sis focused on entry costs and network externalities and clude applying encryption techniques to DNS traffic [2, extends the analysis to the Microsoft case where a tie-in 5, 12, 15, 21, 26]. In this paper, we focus on DNS over of Windows and Internet Explorer created a monopolis- HTTPS (DoH) [12]. The most common implementation tic market structure. This work can further be extended of DoH has been through web browsers, like Mozilla to areas where a setting is analyzed in which a monop- Firefox and Google Chrome. They are able to imple- olist can control the pace of innovations and the life- 2 time of a particular product. In the case of DoH, there is According to several web traffic measurement sources, potential risk of impact to CDN localization and diver- over 80% of the global web traffic usage is from three sity if only a few concentrated applications (e.g., web web browsers: Google Chrome, Apple Safari and browsers) and DNS resolvers control the global market. Mozilla Firefox (Internet Explorer if one considers only desktop browsers). While there are differences in their Bundling. The practice of bundling products or ser- methods of measuring global traffic, these different vices has commonly been used in the telecommunica- measurement sites unanimously point toward a con- tions and information industry. On one hand these in- centration of global players in the web browser market. dustries are highly interconnected and benefit