What is DNS over HTTPS (DoH)?
DNS-over-HTTPS is a relatively new technology that aims to keep your browsing private. There are some pros and cons to it, and whether or not you should use it is a matter of personal preference. But before we get into the intricacies of the technology, we first need to define what HTTPS to DNS is and how it can help (or hinder) you in the long run. Let’s find out.
What is DNS over HTTPS (DoH)?
In the late 1980s, the Internet Engineering Task Force (IETF) proposed the concept of DNS over HTTPS due to the rise of malicious network attacks. Previously, DNS queries between a web application and DNS servers were made in plain text using parameters provided by the network provider or ISP (Internet Service Provider).
DoH helps DNS queries by sending them like regular HTTPS traffic, but to dedicated servers that support DoH. The server that supports DoH is called DoH Resolver. Here, both the DNS query and the response to that query are encrypted to protect users’ privacy.
DoH is a network protocol used to communicate with domain name server information in encrypted form over HTTPS traffic. It uses secure hypertext transfer protocol to encrypt DNS traffic bypassing DNS queries and hides DNS query and improves online privacy.
Popular DoH clients include Google Chrome, Mozilla Firefox, and Microsoft Edge. They support DoH and deploy DoH for data protection and user privacy.
Standard DNS and DNS over HTTPS (DoH)
Networks using standard DNS communications are at risk of man-in-the-middle attacks if they do not use a traffic filtering solution. This is because all DNS queries are written in plain text.
The internal application uses HTTPS standards to encrypt DNS requests over the HTTPS protocol. If hackers gain access to your encrypted DNS queries, they won’t be able to read them. Your communications will still be private. DNS over HTTPS makes Man-in-the-Middle attacks more or less useless.
Otherwise, a threat actor can see what domains you’re trying to access. In addition, enabling DoH hides information in the large volume of HTTPS requests traversing the network.
The difference between DNS over HTTPS (DoH) and DNS over HTTP is that the latter does not use encryption.
How does DoH work?
Some names can be decrypted directly from the user’s device. The relevant information is displayed in the cache of the browser or router. Everything that needs to be transferred online usually goes over a UDP connection. This enables fast data exchange. However, UDP is neither secure nor reliable. When using the protocol, data packets are regularly lost because there are no mechanisms to guarantee transmission.
On the other hand, DoH is based on HTTPS and therefore the TCP protocol that is more commonly used on the Internet. Advantages include encryption of connections, and the protocol provides guaranteed data transmission.
Communication with DNS over HTTPS always happens through Port 443, where the actual web traffic is forwarded (eg visiting websites). Therefore, an outsider cannot distinguish between DNS requests and other communications. This provides an additional level of user privacy.
Some benefits
- Hides online activity. This is done by using a secure DNS service and encrypting all associated traffic. When a user types a domain name into a browser, it makes a DNS query to translate the domain name into an IP address.
- Prevention of DNS spoofing and man-in-the-middle attacks. If the browser and DNS server are in an encrypted session, a malicious third party cannot manipulate the query results and redirect the user to a fake website.
- Improving data security and privacy. If you set up DoH correctly, you will be able to increase data privacy and security in your organization.
- Test. You can preview how DoH connects to your networks and troubleshoot it before it becomes the default.
Disadvantages of DNS over HTTPS
DNS over HTTPS is not perfect. For example, some website blocking software will struggle with DNS over HTTPS if it depends on viewing the URL you’re visiting. This means that schools and parents will have more trouble stopping children from accessing dangerous and harmful content.
Also, because the DNS request must go over HTTPS, your packet may take a little longer to travel through the Internet than if it were using HTTP. However, there’s a good chance you won’t notice any noticeable lag while using it.
The result
Like any IT innovation, DNS over HTTPS caused a few problems at first until everyone got on board with it. Some may say it is still difficult. However, once DoH became the standard, its benefits far outweighed the challenges it once posed.
Integrating DoH with endpoint security enables effective DNS filtering, even when DNS traffic is encrypted.