DNS over HTTPS (DoH)
Introduction
The Domain Name System (DNS) is a critical protocol for the functioning of the Internet. The computers that make up the Internet are addressed using IP addresses; however, the people that use the Internet generally don’t want to memorize these IP addresses and use them to direct their traffic (with the notable exception of DNS servers). Instead, people use domain names to direct their traffic, which makes things easier for the user to remember and easier for advertisers to get people to actually visit their websites. By using DNS servers, a client computer can find the IP address associated with the domain requested by the user.
One of the main issues with DNS is that it has significant impacts on the privacy of the user. While many Internet protocols were not made secure and private by design, the use of SSL (and later TLS) enabled traffic to and from a server to be encrypted. As a result, it’s possible to determine that two computers are communicating with one another but not see the data being transmitted if, for example, they’re using HTTPS. The only issue with this is that finding the IP address to communicate with requires the client to perform a DNS lookup if they don’t already know the domain.
FREE role-guided training plans
Since these DNS lookups are not encrypted, this allows anyone monitoring these requests to know the websites that a user is attempting to visit. As a result, monitoring DNS requests is a common way that governments and organizations invade the privacy of Internet users.
What is DoH?
DNS over HTTPS (DoH) is defined in RFC 8484 and designed to fix this privacy problem. The concept is straightforward: Instead of sending DNS requests and responses out in cleartext, they’ll be sent wrapped in an HTTPS GET or POST request. Since HTTPS is encrypted and authenticated using TLS, this decreases an attacker’s ability to view or modify them.
While DoH may not be widespread and is still considered “in development”, that doesn’t mean that it’s not already available. Firefox’s Nightly build already includes DoH functionality, using Cloudflare’s 1.1.1.1 DNS server as its default server. This provides individuals and organizations the opportunity to test out the technology before it goes mainstream. However, there are likely some bugs that will need working out.
Moving from traditional DNS to DoH is a major step. The Internet has been using unencrypted DNS traffic for decades now, and many DNS servers may not have the ability to generate and transmit encrypted responses without a significant upgrade. As a result, it may not be possible to access certain sites when using DoH.
Assuming that DoH is implemented well and completely functional, there are still significant pros and cons associated with it.
Pros of DoH
The primary pro is that DNS provides additional privacy and security to the Internet user. Since DNS is traditionally sent in cleartext, it can be both viewed and modified by someone performing a Man-in-the-Middle attack. This gives the attacker the ability to spy upon and potentially redirect the user’s Internet traffic. While the use of TLS limits the potential impact, this can still cause significant impacts on privacy, and DoH can prevent that.
Cons of DoH
The main downsides of DoH are that it’s both effective and potentially not effective enough. The main issue with an effective DNS encryption scheme is the fact that it breaks the surveillance laws in several countries. For example, the UK plans to use DNS monitoring to ensure that users are over 18 before viewing adult-rated content. With DNS encapsulated in HTTP and encrypted by TLS, this monitoring may not be possible. As a result, the use of DoH may be technically illegal in some countries.
DoH also may not be “good enough” at protecting privacy, due to the fact that it still uses the traditional recursive DNS scheme for lookups. For example, visiting www.example.com will require queries to both the .com and the example.com DNS servers in order to resolve the request. Some browsers will take a “greedy” approach to this, requesting the entire domain name at each level in hope of skipping a few steps. As a result, every DNS server knows the eventual destination of the traffic. However, this can be mitigated using DNS minimization.
Even with DNS minimization, there may be some leakage of information about DNS requests. With a recursive DNS lookup, the client will send a request to the .com DNS server, followed almost immediately by one to the example.com server. Correlating these two requests gives an eavesdropper the IP address of the next DNS server down the chain, which may be unique to the example.com domain. While this does not show the exact page that the user is visiting, it still leaks some information.
The road ahead for DoH
DoH is the latest of several attempts to add encryption to DNS requests. However, it is the one that seems most likely to succeed, since Google and Mozilla have decided to run with it in their Web browsers. Since Chrome and Firefox are some of the most widely used Internet browsers, this is probably enough to force widespread adoption.
The simple result of implementing DoH is an improvement in Internet user privacy. This is in line with the recent trend toward increased user privacy, as demonstrated by new regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) among others. However, this functionality also directly violates regulations in several different countries, meaning that ISPs may be obligated to disallow it or find an alternative means of surveilling Internet activity.
If the regulations win out over the new technology, the end result may be that nothing really changes unless the workaround employed by the ISPs is limited to them and not available to malicious parties (which seems extremely unlikely). Either that or DoH will be like the passcode on your smartphone, which protects you in general but can be defeated by law enforcement if given a reason to try.
FREE role-guided training plans
Sources
- DNS Queries over HTTPS (DoH), IETF Tools
- Pros and Cons of DNS Over HTTPS, Netsparker
- UK porn block: everything you need to know, TechRadar
In this Series
- DNS over HTTPS (DoH)
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security