Open-Xchange hosted their 4th UK security roundtable event on January 31st in London at a venue close to Tower Bridge. Previous years have focussed on email security topics but this year the focus was on DNS security as there have been major developments in this area over the last 12 months. OX was pleased to host a group of just under 40 people as they listened to presentations from OX, PowerDNS, Cloudflare and BT on DNS security topics which generated discussion between all the attendees.
The five largest UK ISPs (BT, Sky, VirginMedia/LibertyGlobal, TalkTalk and Plusnet) were each represented by a selection of people from their Product and Security/Architecture teams. Also attending were Nominet, F-Secure, Scality, the Global IP/DNS guardians ICANN and UK Government organizations Ofcom and the NCSC.
The main DNS security topic discussed was the development that the Mozilla Firefox web browser is trialing a new way to do DNS resolution. DNS is the phone book of the Internet converting news.bbc.co.uk for example into a computer-friendly number (an IP address). Normally this is done using the DNS servers of the ISP as this is what the box connecting you to the Internet in the house (known as the router/hub/CPE) will tell all your devices to use. Firefox can now be used to send all of the DNS requests encrypted (using a protocol named DNS over HTTPS) to another DNS server, bypassing the ISP’s servers completely. This does make the DNS request more secure as it is now encrypted but it also means that all the services an ISP provides using its DNS server can no longer be delivered. Such services include family controls to prevent young children from accessing adult content (if you try to go to a porn site then you do not get the IP address back) or stopping you from clicking on phishing links by mistake. Mozilla has also partnered with a company called Cloudflare to provide these DNS services meaning everything you do is seen by a third-party company based in the USA. Google's Chrome browser, the most popular in use, could also be moving down the same direction meaning the vast majority of browser traffic will no longer be visible to ISPs.
The UK ISPs accept that they need to do more to encrypt DNS traffic going forward but also want to ensure they can still deliver popular services to their customers using the DNS layer. They are jointly planning to lobby the Internet community around ways to extend the current DNS over HTTPs standard to allow for their customers to decide to use the ISP’s DNS server instead of the third party that a web browser vendor decides to use. This also has regulatory relevance as court order blocking and child pornography defined by the Internet Watch Foundation also get implemented using the DNS layer.
The event helped galvanize the group into a clear position on this topic and there will be ongoing communication between the group to finalize a position.
After the lively discussion, the majority of the group had a short but cold walk across Tower Bridge to a French restaurant to continue discussions over dinner and wine. The dinner was kindly sponsored by our partner Scality.