DNS-over-HTTPS vs DNS-over-TLS

DNS resolution traditionally occurs over plain text, leaving it vulnerable to interception and manipulation. To address this, DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) protocols encrypt DNS queries and responses, enhancing security and privacy.

Overview

DNS is the internet's directory service, translating human-readable domain names (e.g., google.com) into numerical IP addresses that computers use to locate resources. Traditionally, this process occurs over UDP or TCP on port 53. However, unencrypted DNS traffic can be intercepted by malicious actors, allowing them to observe browsing habits, inject malware, or redirect users to fraudulent websites.

DoH and DoT aim to mitigate these risks by encrypting DNS communication. DoH encapsulates DNS queries within HTTPS requests, using port 443, the standard port for secure web traffic. DoT, on the other hand, uses TLS encryption over a dedicated DNS port (typically 853). Both protocols provide confidentiality and integrity, ensuring that DNS data remains private and unaltered during transmission.

Core Concepts

DoH operates by sending DNS requests to a DoH-compatible server as part of an HTTPS request. The client establishes a secure connection with the server using TLS/SSL, then includes the DNS query within the request body. The server processes the query and returns the corresponding IP address encrypted within the HTTPS response.

DoT follows a similar principle but uses TLS directly for DNS communication. Clients establish a TLS connection to a DoT-compatible server on port 853. The client then sends its DNS queries over this secure channel, and the server responds with the resolved IP address encrypted using TLS.

Example/Walkthrough

Using a browser that supports DoH, you can configure it to use a specific DoH provider. This provider will handle all your DNS lookups securely. For example, if you set up your browser to use Cloudflare's 1.1.1.1 as your DoH resolver, all your domain name requests will be sent over HTTPS to Cloudflare's servers, ensuring privacy and protection from eavesdropping.

Pitfalls & Limits

While DoH and DoT offer security benefits, they also have some limitations. One potential issue is that relying solely on DoH or DoT can make it difficult for network administrators to monitor DNS traffic for troubleshooting purposes. Also, not all devices and operating systems fully support these protocols.

Another consideration is the potential impact on performance. Encrypting DNS traffic adds some overhead compared to unencrypted DNS, which could result in slightly slower resolution times in some cases, but this performance difference is generally negligible for most users.

Alternatives/Trade-offs

DNS over QUIC (DoQ) is a newer protocol that aims to address some of the limitations of DoH and DoT. It leverages the QUIC transport protocol, which offers improved performance and resilience compared to TCP. However, DoQ is still relatively new and not as widely supported as DoH or DoT.

Practical Checklist/Operational Notes

• Ensure your devices and operating systems support DoH or DoT.
• Choose a reputable DoH or DoT provider with a strong privacy policy.
• Configure your network to use the chosen provider's DNS servers.
• Monitor DNS traffic for any unusual activity or performance issues.

Security Considerations

Using DoH or DoT improves DNS security by encrypting communication and preventing eavesdropping, but these protocols do not address all potential DNS-related vulnerabilities. For example, if a malicious actor compromises your device or network infrastructure, they may still be able to manipulate DNS settings without affecting the encrypted communication itself.