Do Not Snoop: DNS security at Open-Xchange’s UK roundtable

Feb 18, 2019


Open-Xchange hosted their 4th UK security roundtable event on January 31st in London at a venue close to Tower Bridge. Previous years have focussed on email security topics but this year the focus was on DNS security as there have been major developments in this area over the last 12 months. OX was pleased to host a group of just under 40 people as they listened to presentations from OX, PowerDNS, Cloudflare and BT on DNS security topics which generated discussion between all the attendees.

The five largest UK ISPs (BT, Sky, VirginMedia/LibertyGlobal, TalkTalk and Plusnet) were each represented by a selection of people from their Product and Security/Architecture teams. Also attending were Nominet, F-Secure, Scality, the Global IP/DNS guardians ICANN and UK Government organizations Ofcom and the NCSC.  

The main DNS security topic discussed was the development that the Mozilla Firefox web browser is trialing a new way to do DNS resolution. DNS is the phone book of the Internet converting for example into a computer-friendly number (an IP address). Normally this is done using the DNS servers of the ISP as this is what the box connecting you to the Internet in the house (known as the router/hub/CPE) will tell all your devices to use. Firefox can now be used to send all of the DNS requests encrypted (using a protocol named DNS over HTTPS) to another DNS server, bypassing the ISP’s servers completely. This does make the DNS request more secure as it is now encrypted but it also means that all the services an ISP provides using its DNS server can no longer be delivered. Such services include family controls to prevent young children from accessing adult content (if you try to go to a porn site then you do not get the IP address back) or stopping you from clicking on phishing links by mistake. Mozilla has also partnered with a company called Cloudflare to provide these DNS services meaning everything you do is seen by a third-party company based in the USA. Google's Chrome browser, the most popular in use, could also be moving down the same direction meaning the vast majority of browser traffic will no longer be visible to ISPs. 

The UK ISPs accept that they need to do more to encrypt DNS traffic going forward but also want to ensure they can still deliver popular services to their customers using the DNS layer. They are jointly planning to lobby the Internet community around ways to extend the current DNS over HTTPs standard to allow for their customers to decide to use the ISP’s DNS server instead of the third party that a web browser vendor decides to use. This also has regulatory relevance as court order blocking and child pornography defined by the Internet Watch Foundation also get implemented using the DNS layer.

The event helped galvanize the group into a clear position on this topic and there will be ongoing communication between the group to finalize a position.

After the lively discussion, the majority of the group had a short but cold walk across Tower Bridge to a French restaurant to continue discussions over dinner and wine. The dinner was kindly sponsored by our partner Scality. 


About the author

Stuart Paton

Stuart Paton

Sales Director

Related Articles

Meet Open-Xchange at the Canadian ISP Summit

The Canadian ISP Summit is a multi-day conference designed specifically for Internet Service Providers in Toronto Canada on...

John Broomfield 10/3/18

Open-Xchange awarded grant to further develop privacy and trust...

Open-Xchange is committed to a borderless internet that is open, safe and free, allowing users to protect their data and...

The Editorial Team 05/3/20

Open-Xchange releases new major versions of OX App Suite, OX...

We are excited to announce the release of three new major product versions: OX App Suite and OX Documents are now available...

Stephan Specketer 07/4/18