askvity

How Does DNS over HTTPS Work?

Published in DNS Security 5 mins read

DNS over HTTPS (DoH) is a protocol designed to increase user privacy and security online by encrypting Domain Name System (DNS) traffic.

At its core, DNS over HTTPS (DoH) works by sending DNS queries and responses over the standard HTTPS protocol, which is the encrypted version of the Hypertext Transfer Protocol used for secure web browsing. This is distinct from traditional DNS, which typically sends queries in plain text over UDP or TCP port 53.

According to TechTarget, "DNS over HTTPS (DoH) is a protocol that encrypts DNS traffic by passing DNS queries through an HTTPS encrypted session. DoH can help improve online security and privacy and protect DNS queries from attacks."

Here's a breakdown of the mechanism:

The Mechanism: Encrypted Queries

  1. Client Initiates Query: When you type a website address (like www.example.com) into your browser or an application needs to connect to a domain, it needs to find the corresponding IP address.
  2. Encapsulation in HTTPS: Instead of sending a standard, unencrypted DNS query, the DoH-enabled client (like your browser or operating system) packages the DNS query within a standard HTTPS request. This request is directed towards a server specifically configured to handle DoH queries.
  3. Encryption via TLS/SSL: This HTTPS request, containing the DNS query, is then encrypted using the TLS/SSL protocol – the same encryption used to secure connections when you see "https://" in your browser's address bar.
  4. Transmission: The encrypted HTTPS request is sent over the internet, typically using TCP port 443, the standard port for HTTPS traffic. Because it looks like regular web traffic, it's harder for network observers to distinguish it as a DNS query.
  5. Server Processing: A dedicated DoH server receives the encrypted HTTPS request. It decrypts the request, extracts the DNS query, performs the lookup (finding the IP address for the domain), and then packages the DNS response (containing the IP address) back into an HTTPS response.
  6. Encrypted Response: The DoH server encrypts this HTTPS response using TLS/SSL and sends it back to the client.
  7. Client Decryption: The client receives the encrypted response, decrypts it, and extracts the IP address needed to connect to the website or resource.

Traditional DNS vs. DoH

Let's compare the key differences:

Feature Traditional DNS DNS over HTTPS (DoH)
Encryption None (Plain Text) Yes (using TLS/SSL within HTTPS)
Port UDP/TCP Port 53 (usually UDP) TCP Port 443 (standard HTTPS port)
Visibility Easily readable by network observers Hidden within encrypted HTTPS traffic
Privacy Low High
Security Vulnerable to tampering/snooping More resistant to tampering/snooping

Benefits of Using DoH

Implementing DoH offers significant advantages, primarily focused on enhancing user privacy and security:

  • Increased Privacy: By encrypting DNS queries, DoH prevents intermediaries like ISPs, network administrators, or eavesdroppers on public Wi-Fi from seeing which websites you are visiting. This makes it harder to track your online activity based on your DNS requests.
  • Enhanced Security: Encrypting queries makes them more resistant to DNS-based attacks, such as:
    • DNS Snooping: Preventing others from monitoring your website visits.
    • DNS Spoofing/Tampering: Making it harder for attackers to intercept your query and redirect you to a fake website by providing a malicious IP address.
  • Bypassing Censorship: In some cases, DoH can help bypass censorship or filtering that relies on inspecting or blocking traditional DNS queries.
  • Reduced Fingerprinting: Your DNS requests, being encrypted, contribute less to creating a unique "fingerprint" of your online activities that could be used for tracking.

Potential Considerations

While offering significant benefits, DoH also presents some considerations:

  • Increased Reliance on DoH Provider: Your privacy now heavily depends on the trustworthiness of the DoH server provider.
  • Network Visibility: It can make it harder for local network administrators (like in a school or company) to monitor or filter traffic for security or policy enforcement reasons.
  • Performance: Encrypting and decrypting requests can introduce slight latency, though this is often negligible with modern hardware and network speeds.

How DoH Works in Practice

Major web browsers like Chrome, Firefox, Edge, and Brave, as well as operating systems like Windows, macOS, Android, and iOS, now offer built-in support for DoH. Users can typically configure their settings to use a preferred DoH provider (like Cloudflare, Google Public DNS, Quad9, etc.) instead of the default DNS servers provided by their ISP.

In essence, DoH wraps the sensitive act of translating domain names into IP addresses within the secure, universally used framework of HTTPS, providing a layer of privacy and security that traditional DNS lacks.

Related Articles