DNS over HTTPS Benefits and Considerations

Author

Reads 9K

home monitoring security camera
Credit: pexels.com, home monitoring security camera

Implementing DNS over HTTPS can improve online security by encrypting DNS queries, making it more difficult for hackers to intercept and exploit them.

This encryption can also prevent ISPs from monitoring and selling user DNS queries, which can be a significant concern for users who value their online privacy.

One of the key benefits of DNS over HTTPS is that it can prevent DNS spoofing attacks, which can be used to redirect users to malicious websites.

In addition to improving security, DNS over HTTPS can also improve the overall DNS resolution process, making it faster and more efficient.

Discover more: Stop Online Piracy Act

What is DoH

DNS over HTTPS, or DoH, is a technology that encrypts DNS traffic, making it more secure.

This encryption is provided by the HTTPS protocol, which is the same protocol used for secure web browsing. The HTTPS protocol ensures that all data exchanged between the client and the server is encrypted.

By using HTTPS for DNS, DoH protects users' DNS queries and responses from being intercepted by third parties, such as hackers or ISPs. This is especially important for users who connect to public Wi-Fi networks, as these networks can be vulnerable to eavesdropping.

Benefits and Risks

Credit: youtube.com, DNS over HTTPS in 2 Minutes

DoH improves privacy by hiding domain name lookups from public Wi-Fi, ISPs, and local networks, preventing them from collecting and selling personal information related to browsing behavior.

This is especially important when using public Wi-Fi, as it prevents others from snooping on your online activities. By encrypting DNS name resolution traffic, DoH hides online activities from anyone listening in on intermediary networks.

DoH also helps prevent DNS spoofing and man-in-the-middle attacks by encrypting the session between the browser and the DNS server, making it difficult for anyone to alter the resolution request results.

However, enabling DoH may have some risks, such as bypassing local DNS resolvers and defeating policies that block malware or filter websites. This can be a concern for organizations that rely on DNS to monitor and control internet access.

To mitigate this risk, Firefox allows users to disable DoH when it interferes with a preferred policy, and organizations can also disable DoH through enterprise policies.

Additional reading: Public Suffix List

Benefits

Person holding tablet with VPN connection screen for secure internet browsing.
Credit: pexels.com, Person holding tablet with VPN connection screen for secure internet browsing.

DoH improves privacy by hiding domain name lookups from prying eyes on public Wi-Fi, your ISP, or anyone else on your local network.

This means your ISP can't collect and sell personal information related to your browsing behavior, giving you a sense of security and control over your online activities.

DoH encrypts DNS name resolution traffic, making it invisible to anyone listening or eavesdropping on intermediary networks, including your ISP.

This is especially important when using public Wi-Fi, as it prevents your ISP from seeing exactly which sites you're visiting.

DoH also helps prevent DNS spoofing and man-in-the-middle attacks by encrypting the session between your browser and the DNS server.

Risks

DoH can bypass special policies that rely on DNS, such as blocking malware or enabling parental controls. This is because DoH sends queries directly to a trusted partner's DNS server, bypassing the local DNS resolver.

DoH can also create a security monitoring blind spot in the enterprise, as it encrypts name resolution requests. This makes it difficult for organizations to detect malware attempting to "phone home" or block access to malicious sites.

Laptop displaying blockchain connecting screen in modern setting.
Credit: pexels.com, Laptop displaying blockchain connecting screen in modern setting.

Some individuals and organizations rely on DNS to block malware, enable parental controls, or filter browser access to websites. DoH defeats these special policies by bypassing the local DNS resolver.

DoH directs queries to DNS servers operated by a trusted partner, which has the ability to see users' queries. However, Mozilla's Trusted Recursive Resolver (TRR) policy forbids partners from collecting personal identifying information.

DoH could be slower than traditional DNS queries, but in testing, Mozilla found that the impact is minimal and in many cases DoH is actually faster.

Here are some potential risks associated with DoH:

  • DoH bypasses special policies that rely on DNS
  • DoH creates a security monitoring blind spot in the enterprise
  • DoH directs queries to a trusted partner's DNS server
  • DoH could be slower than traditional DNS queries (although the impact is minimal)

Deployment and Configuration

Deployment and configuration of DNS over HTTPS (DoH) can be done in various ways. One common scenario is using a DoH implementation within an application, such as a browser with built-in DoH support.

You can also install a DoH proxy on the name server in your local network, which will then gather replies via DoH from servers in the Internet, making it transparent to the end user.

Credit: youtube.com, Deploying DNS over HTTPS Without Confrontation

To configure the DNS client to support DoH on Windows Server with Desktop Experience, you'll need to select the network interface, edit the DNS settings, and choose the preferred DNS encryption method.

Here are the steps to configure the DNS client to support DoH on Windows Server with Desktop Experience:

  1. From the Windows Settings control panel, select Network & Internet.
  2. On the Network & Internet page, select Ethernet.
  3. On the Ethernet screen, select the network interface that you want to configure for DoH.
  4. On the Network screen, scroll down to DNS settings and select the Edit button.
  5. On the Edit DNS settings screen, select Manual from the automatic or manual IP settings dropdown.
  6. Choose between the following settings to set the preferred DNS encryption:
  7. Select Save to apply the DoH settings to the DNS client.

Alternatively, you can configure DoH through Group Policy, which allows you to configure the DNS client to use DoH with various settings, including allowing, prohibiting, or requiring DoH.

Deployment Scenarios

Deploying DoH involves several scenarios, each with its own advantages and challenges.

There are three common deployment scenarios for DoH: using a DoH implementation within an application, installing a DoH proxy on the name server in the local network, and installing a DoH proxy on a local system.

Using a DoH implementation within an application is a straightforward approach, but it can be problematic if the application doesn't inform the user when it bypasses traditional DNS querying.

Curious to learn more? Check out: Domains by Proxy

Credit: youtube.com, 03 01 Deployment Scenarios and the MDT 2013

Some browsers have a built-in DoH implementation, which allows them to perform queries without using the operating system's DNS functionality.

Installing a DoH proxy on the name server in the local network is a transparent method, where client systems continue to use traditional DNS to query the name server, which then gathers the necessary replies via DoH.

This approach doesn't require any changes to the client systems, making it a convenient option for large networks.

Installing a DoH proxy on a local system requires configuration on each system wishing to use DoH, which can be a significant effort in larger environments.

This method also requires a locally running DoH proxy, which needs to be installed on each system.

Here are the three common deployment scenarios for DoH, summarized:

  • Using a DoH implementation within an application
  • Installing a DoH proxy on the name server in the local network
  • Installing a DoH proxy on a local system

Windows

Windows has been supporting DNS over HTTPS (DoH) since November 2019, with initial support added in Windows 10 Insider Preview Build 19628. This allowed users to enable DoH via registry and command line interface.

Two Brown Wooden Framed 6-lite Window Panes
Credit: pexels.com, Two Brown Wooden Framed 6-lite Window Panes

Microsoft released Windows 11 with built-in DoH support, making it a more streamlined process for users to secure their DNS queries. Windows 10 Insider Preview Build 20185 also added a graphical user interface for specifying a DoH resolver.

However, it's worth noting that DoH support is not included in Windows 10 21H2. If you're using this version, you won't be able to take advantage of DoH out of the box.

To configure DoH on Windows Server, you'll need to follow specific steps, which include selecting the network interface, editing DNS settings, and choosing the preferred DNS encryption. This process can be a bit more involved, but it's essential for securing your DNS queries.

Here's a quick rundown of the steps to configure DoH on Windows Server:

  1. From the Windows Settings control panel, select Network & Internet.
  2. On the Network & Internet page, select Ethernet.
  3. On the Ethernet screen, select the network interface that you want to configure for DoH.
  4. On the Network screen, scroll down to DNS settings and select the Edit button.
  5. On the Edit DNS settings screen, select Manual from the automatic or manual IP settings dropdown.
  6. Select Save to apply the DoH settings to the DNS client.

Configure the Client

To configure the client for DNS over HTTPS, you'll need to follow these steps. First, ensure that the primary or secondary DNS server selected for the network interface is on the list of known DoH servers. You can check this using the Get-DNSClientDohServerAddress PowerShell cmdlet.

Close Up Photo of Network Switch
Credit: pexels.com, Close Up Photo of Network Switch

You can only configure the Windows Server client to use DoH if the primary or secondary DNS server is on the list of known DoH servers. This list includes servers like Cloudflare, Google, and Quad 9. To view the default list of known DoH servers, use the Get-DNSClientDohServerAddress PowerShell cmdlet.

To add a new DoH server to the list of known servers, use the Add-DnsClientDohServerAddress PowerShell cmdlet. Specify the URL of the DoH template and whether you'll allow the client to fall back to an unencrypted query should the secure query fail.

The DNS client can be configured to require DoH, request DoH, or only use traditional plain-text DNS queries. To configure the DNS client to support DoH, follow these steps:

  1. From the Windows Settings control panel, select Network & Internet.
  2. On the Network & Internet page, select Ethernet.
  3. On the Ethernet screen, select the network interface that you want to configure for DoH.
  4. On the Network screen, scroll down to DNS settings and select the Edit button.
  5. On the Edit DNS settings screen, select Manual from the automatic or manual IP settings dropdown.
  6. Select Save to apply the DoH settings to the DNS client.

Alternatively, you can configure the DNS client using PowerShell with the Set-DNSClientServerAddress cmdlet. However, keep in mind that the DoH setting will depend on whether the server's fallback setting is in the list of known DoH servers.

Implementation Considerations

Credit: youtube.com, Deployment

Implementing DoH requires careful consideration of several key issues. Many of these problems are still being worked out by the internet community.

Stopping third-parties from analyzing DNS traffic is a major challenge. This is because DoH encrypts DNS traffic, making it harder to intercept and analyze for security purposes.

Disruption of DNS-level parental controls and content filters is another issue. This is because DoH can bypass these controls, potentially allowing users to access blocked content.

Split DNS in enterprise networks is also a problem. This is because DoH can create conflicts with existing network configurations.

CDN localization is another consideration. This is because DoH can make it harder for content delivery networks (CDNs) to serve content from local servers.

Here are some of the main implementation considerations for DoH:

  • Stopping third-parties from analyzing DNS traffic
  • Disruption of DNS-level parental controls and content filters
  • Split DNS in enterprise networks
  • CDN localization

Configuration Options

You can configure DNS over HTTPS (DoH) in various ways, depending on your needs and setup. To start, you can enable, disable, and configure DoH in Firefox by following the steps outlined in the "Configure DNS over HTTPS protection levels in Firefox" article.

There are several configuration options available for DoH. You can configure the DNS client to support DoH on Windows Server with Desktop Experience by following these steps: From the Windows Settings control panel, select Network & Internet.On the Network & Internet page, select Ethernet.On the Ethernet screen, select the network interface that you want to configure for DoH.

You can also configure DoH through Group Policy, which is useful for large-scale deployments. The Configure DNS over HTTPS (DoH) name resolution policy is found in the Computer Configuration\Policies\Administrative Templates\Network\DNS Client node. When enabled, this policy can be configured with the following settings: Allow DoH. Queries will be performed using DoH if the specified DNS servers support the protocol.Prohibit DoH. Will prevent use of DoH with DNS client queries.Require DoH. Will require that queries are performed using DoH.

It's worth noting that you should not enable the Require DoH option for domain joined computers, as Active Directory Domain Services is heavily reliant on DNS and doesn't support DoH queries. If you need to encrypt DNS query traffic on Active Directory Domain Services networks, consider implementing IPsec based connection security rules.

Related reading: Firefox Dns over Https

Credit: youtube.com, DNS Encryption explained - DNS over TLS (DoT) & DNS over HTTPS (DoH)

The main configuration file for DoH is doh-client.conf, which allows you to configure server selectors and upstream servers. For example, you can set the upstream_selector to "random" to choose a random upstream server for each request.

Here are some key DoH configuration options to consider:

You can also use the Name Resolution Policy Table (NRPT) to configure queries to a specific DNS namespace to use a specific DNS server, which can be useful for certain use cases.

Security and Traffic

DNS over HTTPS can make it harder for security teams to analyze and monitor DNS traffic for cybersecurity purposes. This is because DoH can mask connections to command-and-control servers, as seen in the case of the 2019 DDoS worm Godlua.

The NSA has warned enterprises against using external DoH resolvers, citing that they prevent DNS query filtering, inspection, and audit.

Using external DoH resolvers can leave your network vulnerable to security threats, so it's essential to take NSA's recommendation to configure enterprise-owned DoH resolvers and block all known external DoH resolvers.

For your interest: What Are Dns Resolvers

Security

Credit: youtube.com, Episode 24: Encryption and Traffic Security Monitoring

Using DoH can make it harder for security teams to analyze and monitor DNS traffic for cybersecurity purposes, as seen in the 2019 DDoS worm Godlua, which used DoH to hide its connections.

In fact, the NSA warned enterprises about using external DoH resolvers in January 2021, advising them to block all known external DoH resolvers instead of configuring enterprise-owned resolvers.

DoH is compatible with DNSSEC, which is a security feature that adds an extra layer of protection to DNS requests, but signature validation is not built-in, so you'll need to install a separate tool like unbound or bind to validate DNS records.

Using an instance of Pi Hole can also help validate DNS signatures and provide other capabilities, making it a useful tool for security-conscious users.

On a similar theme: Dns Resolvers

Content Filter Failure

Disruption of content filters is a real concern with the introduction of DoH. DoH has been used to bypass parental controls that operate at the standard DNS level.

Credit: youtube.com, Complete Guide to Web & Content Filtering Solutions | Centralized & Agent-Based Security Explained

The Internet Service Providers Association (ISPA) and the Internet Watch Foundation have criticized Mozilla for supporting DoH, as they believe it will undermine web blocking programs in the UK. They fear it will bypass ISP default filtering of adult content and mandatory court-ordered filtering of copyright violations.

Mozilla responded to the criticism, arguing that DoH would not prevent filtering, and that they were "surprised and disappointed" by the industry association's misrepresentation of the technology.

Logging

Logging is a crucial aspect of maintaining a secure and well-managed system. All log lines are written into stderr.

You can view these log lines using your OS tool of choice, such as journalctl when using systemd. This allows you to keep track of any issues or errors that may arise.

The system logs can provide valuable insights into system performance and potential security threats.

Protocol and Compatibility

DNS over HTTPS uses a protocol compatible with Google's DNS-over-HTTPS, but with a twist - it prefers absolute expire time over relative TTL value.

Credit: youtube.com, DNS over HTTPS (DoH)

The protocol is based on RFC8484, a proposed standard published by the IETF in October 2018.

The underlying HTTP layer can be any version of HTTP, but HTTP/2 is the recommended minimum, which also allows for HTTP/2 server push to send anticipated values to the client.

DoH is still a work in progress, with the IETF evaluating various approaches for its implementation and establishing a working group, Adaptive DNS Discovery (ADD), to develop a consensus.

Broaden your view: Redirection Http to Https

Protocol Compatibility

DNS-over-HTTPS uses a protocol compatible to Google DNS-over-HTTPS, except for absolute expire time is preferred to relative TTL value.

The protocol compatibility of DNS-over-HTTPS is also compatible with the IETF DNS-over-HTTPS protocol, as outlined in RFC 8484.

DNS-over-HTTPS uses HTTPS, and supports the wire format DNS response data, as returned in existing UDP responses, in an HTTPS payload with the MIME type application/dns-message.

The underlying HTTP layer can be any version of HTTP, though HTTP/2 is the recommended minimum.

Check this out: Http Https Redirection

Mozilla Firefox

Credit: youtube.com, Firefox Settings You Should Change For Privacy and Security

Mozilla Firefox is a great browser that's been improving its security features. In 2018, Mozilla partnered with Cloudflare to deliver DNS over HTTPS for Firefox users who enabled it, known as Trusted Recursive Resolver.

Firefox started enabling DNS over HTTPS for all US-based users on February 25, 2020, relying on Cloudflare's resolver by default. This move aimed to provide a more secure internet browsing experience for its users.

Discover more: Cloudflare Dns Records

Encrypted Client Hello (ECH)

With Firefox version 118, the Encrypted Client Hello (ECH) was introduced as a significant security feature that reinforces the security of the initial connection handshake.

ECH relies on DoH to fetch the necessary encryption keys for the handshake, which means DoH needs to be activated for ECH to operate.

DoH works by encrypting DNS queries, safeguarding the conversion of website names to IP addresses, while ECH focuses on encrypting the initial exchanges between the user and the website.

Together, DoH and ECH present a comprehensive defense against many online threats, providing an enhanced dual-layer of privacy.

By enabling DoH in Firefox, users can fully benefit from the security enhancements provided by ECH, diminishing potential vulnerabilities and amplifying online discretion.

Opting Out and Configuration

Credit: youtube.com, Stop Snooping: How to Secure Your DNS with Encryption

You can opt out of using DNS over HTTPS (DoH) in Firefox by going to the DNS over HTTPS settings and choosing to opt out or select a custom DoH provider.

Firefox will check for certain functions that might be affected by DoH, including parental controls, default DNS server filtering, and organization-managed DNS configurations. If any of these tests determine that DoH might interfere, it won't be enabled.

To configure the DNS client to support DoH on Windows Server, you need to select a network interface and then edit the DNS settings to allow DoH.

On Windows Server, you can configure the DNS client to require DoH, request DoH, or only use traditional plain-text DNS queries. This can be done by selecting the network interface, editing the DNS settings, and choosing the preferred DNS encryption.

You can also configure DoH through Group Policy on Windows Server 2022 by enabling the Configure DNS over HTTPS (DoH) name resolution policy. This policy can be configured with three settings: Allow DoH, Prohibit DoH, and Require DoH.

For more insights, see: EDNS Client Subnet

Credit: youtube.com, Enable DNS Over HTTPS on Windows 11 / 10

Here are the Group Policy settings for DoH:

Note that you should not enable the Require DoH option for domain-joined computers, as Active Directory Domain Services relies heavily on DNS and doesn't support DoH queries.

Bessie Fanetti

Senior Writer

Bessie Fanetti is an avid traveler and food enthusiast, with a passion for exploring new cultures and cuisines. She has visited over 25 countries and counting, always on the lookout for hidden gems and local favorites. In addition to her love of travel, Bessie is also a seasoned marketer with over 20 years of experience in branding and advertising.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.