DNS over HTTPS (DoH) works by encrypting your DNS queries and sending them over the secure HTTPS protocol, the same one used for secure web browsing. This process hides your domain name requests from prying eyes on the network.
At its core, DNS over HTTPS (DoH) is a protocol that encrypts DNS traffic by passing DNS queries through an HTTPS encrypted session. Instead of sending plain text DNS queries over UDP or TCP port 53, DoH wraps the DNS query inside a standard HTTPS request.
Here’s a breakdown of the process:
- Initiating the Query: When you type a website address (like
www.example.com) into your browser or an application needs to connect to a domain, your device needs to find the corresponding IP address. - Forming the HTTPS Request: Your device or browser, configured to use DoH, packages the DNS query (e.g., "What is the IP address for
www.example.com?") into the payload of an HTTPS request. - Establishing Secure Connection: Your device initiates a standard HTTPS connection (which uses TLS/SSL encryption) to a configured DoH server (e.g.,
https://doh.provider.com/dns-query). This establishes an encrypted tunnel. - Sending the Encrypted Query: The HTTPS request containing the encrypted DNS query is sent over this secure connection to the DoH server, typically on TCP port 443.
- Server Processing: The DoH server receives the HTTPS request, decrypts it, extracts the DNS query, and performs the standard DNS lookup process to find the IP address for the requested domain.
- Forming the Encrypted Response: The server packages the DNS response (the IP address) into the payload of an HTTPS response.
- Sending the Encrypted Response: The HTTPS response containing the encrypted DNS answer is sent back to your device over the same secure connection.
- Client Decryption: Your device receives the encrypted HTTPS response, decrypts it, and extracts the IP address, allowing your browser or application to connect to the desired website or service.
Why Use DNS over HTTPS?
Using DoH provides significant advantages over traditional unencrypted DNS:
- Enhanced Privacy: Since the DNS query is encrypted within the HTTPS tunnel, it cannot be easily read by intermediaries on the network, such as your ISP, network administrator, or anyone eavesdropping on your connection.
- Improved Security: DoH can help improve online security and privacy and protect DNS queries from attacks. By encrypting the traffic and sending it over HTTPS, DoH makes it much harder for attackers to:
- Eavesdrop: See which websites you are trying to visit.
- Tamper: Alter DNS responses to redirect you to malicious sites (DNS spoofing or man-in-the-middle attacks) because the traffic is protected by TLS.
- Bypassing DNS Filtering: In some cases, DoH can bypass network-level DNS filtering (though this can be viewed as both a feature for privacy and a potential challenge for network management).
Comparing DoH and Traditional DNS
Let's look at the key differences:
| Feature | Traditional DNS | DNS over HTTPS (DoH) |
|---|---|---|
| Protocol | UDP/TCP | HTTPS (over TCP) |
| Port | Typically 53 | Typically 443 (standard HTTPS port) |
| Encryption | None (queries and responses sent in plain text) | Yes (entire query and response encrypted within HTTPS) |
| Visibility | Easily visible to network administrators/ISPs | Hidden within standard HTTPS traffic |
| Privacy | Low | High |
| Security | Vulnerable to snooping and spoofing | Protected against snooping and tampering |
In summary, DoH leverages the widely used and trusted HTTPS protocol to add a layer of encryption and authentication to DNS lookups, providing much-needed privacy and security improvements compared to the older, unencrypted DNS system.
