DNS over HTTPS (DoH) is a protocol that combines the Domain Name System (DNS) and Hypertext Transfer Protocol Secure (HTTPS) to provide a more private and secure way of resolving domain names to IP addresses. It encrypts DNS queries and responses within HTTPS, protecting user data from eavesdropping and manipulation, and ensuring that ISPs and other intermediaries cannot monitor or tamper with DNS traffic.
The history of the origin of DNS over HTTPS and the first mention of it
DNS over HTTPS was initially proposed in October 2017 by engineers from Mozilla and Cloudflare as a way to address security and privacy concerns associated with traditional DNS resolution. The protocol aimed to prevent internet service providers (ISPs), governments, or malicious actors from spying on users’ DNS queries, which could reveal their internet activities and potentially lead to privacy violations.
Detailed information about DNS over HTTPS. Expanding the topic DNS over HTTPS
DNS over HTTPS operates by wrapping DNS queries and responses within HTTPS packets, which are encrypted and authenticated using Transport Layer Security (TLS). This encryption ensures that only the intended parties can decipher the content, protecting it from interception and modification.
When a user’s device wants to resolve a domain name (e.g., www.example.com) to its corresponding IP address, it sends a DNS query to a DNS server. With DoH, instead of using the traditional UDP or TCP ports for DNS, the device sends the DNS query over port 443, which is the standard port for HTTPS traffic. The DNS query is then forwarded to a DNS server that supports DoH.
The DNS server responds by sending the DNS response back through HTTPS, completing the encrypted loop. The device decrypts the response and obtains the IP address it needs to access the desired website.
The internal structure of the DNS over HTTPS. How DNS over HTTPS works
The internal structure of DNS over HTTPS can be divided into three main components:
-
Client: The client refers to the user’s device or application that initiates the DNS resolution process. When the client wants to resolve a domain name, it generates a DNS query and sends it over an HTTPS connection.
-
DNS-over-HTTPS Resolver: This component receives the client’s DNS query over HTTPS. It acts as an intermediary between the client and the DNS server, handling the encryption and decryption of DNS traffic. The resolver is responsible for forwarding the DNS query to the DNS server and returning the encrypted response back to the client.
-
DNS Server: The DNS server processes the DNS query and returns the corresponding DNS response to the DNS-over-HTTPS resolver, which, in turn, encrypts it and sends it back to the client.
The process ensures that the DNS query and response are protected from unauthorized access and manipulation.
Analysis of the key features of DNS over HTTPS
DNS over HTTPS offers several key features that enhance privacy and security:
-
Encryption: DNS queries and responses are encrypted using TLS, preventing eavesdroppers from intercepting and deciphering DNS traffic.
-
Authenticity: TLS also provides authentication, ensuring that clients are communicating with legitimate DNS servers and not imposters attempting man-in-the-middle attacks.
-
Privacy: Traditional DNS resolution sends queries in plaintext, revealing users’ browsing habits. With DoH, ISPs and other intermediaries cannot monitor users’ DNS traffic.
-
Security: By encrypting DNS, DoH prevents DNS spoofing and cache poisoning attacks, enhancing the overall security of DNS resolution.
-
Unrestricted Access: Some networks or regions may impose restrictions on DNS traffic, but since DoH uses the standard HTTPS port (443), it can bypass these restrictions.
-
Improved Performance: DoH can potentially improve DNS resolution performance by utilizing the optimized infrastructure of Content Delivery Networks (CDNs) used by DNS-over-HTTPS providers.
Types of DNS over HTTPS
There are two primary types of DNS over HTTPS implementations:
-
Public DNS over HTTPS Services: These are third-party DNS-over-HTTPS resolvers provided by companies or organizations. Examples include Cloudflare, Google, and Quad9. Users can configure their devices or applications to use these public DoH services, ensuring encrypted DNS resolution.
-
Private DNS over HTTPS Servers: In addition to using public DoH services, users can set up their private DoH servers to handle DNS resolution for their own networks. This option offers more control and privacy, as the DNS queries are not routed through third-party servers.
Here’s a comparison table of some popular public DNS over HTTPS providers:
| Provider | IP Address | Privacy Policy | Features |
|---|---|---|---|
| Cloudflare | 1.1.1.1, 1.0.0.1 | Privacy-First DNS Resolver | Malware and Phishing Protection |
| 8.8.8.8, 8.8.4.4 | Google Public DNS | Safe Browsing and DNSSEC Support | |
| Quad9 | 9.9.9.9 | Privacy and Security | Filtering for Malicious Domains |
| OpenDNS | 208.67.222.222 | Cisco Umbrella | Customizable Content Filtering |
Users can enable DNS over HTTPS on their devices or applications by configuring the DNS resolver settings. Many modern web browsers also support DoH natively, making it easy for users to opt for encrypted DNS resolution.
However, there are some challenges associated with DNS over HTTPS adoption:
-
Compatibility: Not all DNS servers support DoH, so some domains may not resolve correctly when using DNS over HTTPS. However, the number of DoH-compatible DNS servers is increasing.
-
Deployment: For private DoH servers, setting up and maintaining the infrastructure may require technical expertise.
-
Censorship and Monitoring: While DoH enhances privacy, it can also be used to bypass content filtering and censorship measures, which raises concerns for some governments and network administrators.
To address these challenges, it’s essential to have a diverse range of public DNS over HTTPS providers and promote the adoption of DoH among DNS operators.
Main characteristics and other comparisons with similar terms
Let’s compare DNS over HTTPS with some similar terms:
-
DNS over TLS (DoT): Similar to DoH, DNS over TLS encrypts DNS traffic, but it uses TLS without the HTTP layer. Both protocols aim to achieve the same goal of encrypted DNS, but DoH can be more firewall-friendly since it uses the standard HTTPS port.
-
VPN (Virtual Private Network): VPNs also encrypt internet traffic, including DNS queries, but they operate at a different layer. VPNs encrypt all traffic between the user’s device and the VPN server, whereas DoH only encrypts DNS traffic between the client and the DNS-over-HTTPS resolver.
-
DNSSEC (DNS Security Extensions): DNSSEC is a security feature for DNS that provides data integrity and authentication. While DNSSEC and DoH can be used together to enhance security, they serve different purposes. DNSSEC protects against DNS data tampering, while DoH protects DNS traffic from eavesdropping and monitoring.
DNS over HTTPS has gained significant traction in recent years, and its future looks promising. As more users and organizations prioritize online privacy, DoH is likely to become a standard feature in modern browsers and applications. The continued growth of public DNS over HTTPS providers and the adoption of DoH by DNS operators will contribute to its widespread use.
Additionally, the development of novel DNS technologies and security enhancements, such as combining DoH with DNSSEC or implementing privacy-preserving features like DNS blindfold, may further enhance the privacy and security of DNS resolution.
How proxy servers can be used or associated with DNS over HTTPS
Proxy servers can play a vital role in the context of DNS over HTTPS, especially in scenarios where DNS resolution is restricted or when additional anonymity is desired. Here are some ways proxy servers can be associated with DNS over HTTPS:
-
Bypassing DNS Restrictions: In regions or networks where DNS over HTTPS is blocked, users can route their DNS queries through proxy servers to access DoH resolvers and resolve domain names securely.
-
Enhanced Anonymity: Proxy servers can act as intermediaries between the user and the DoH resolver, providing an additional layer of anonymity by hiding the user’s IP address from the DNS resolver.
-
Load Balancing and Caching: Proxy servers can help distribute DNS queries among multiple DoH resolvers, ensuring better load balancing and potentially reducing DNS resolution times through caching.
-
Custom DoH Implementation: Organizations can deploy private proxy servers with DNS over HTTPS capabilities, allowing them to have more control over their DNS traffic and maintain their DNS privacy.
Related links
For more information about DNS over HTTPS, you can explore the following resources:
- Mozilla Wiki – DNS over HTTPS
- Cloudflare – DNS over HTTPS
- Google Public DNS – DNS over HTTPS
- Quad9 – DNS over HTTPS
- IETF RFC 8484 – DNS Queries over HTTPS (DoH)
In conclusion, DNS over HTTPS is a critical advancement in the world of proxy servers, providing enhanced privacy and security for users’ DNS queries. By encrypting DNS traffic within HTTPS, DNS over HTTPS ensures that sensitive information remains confidential and protected from unauthorized access. As the internet continues to evolve, DNS over HTTPS is likely to become an integral part of securing online communications and safeguarding user data from potential threats.
