DNS Over HTTPS: DoH DNS Facts You Should Know

Share on facebook
Share on twitter
Share on linkedin
Share on email

DNS Over HTTPS Facts You Should Know

A new protocol, DNS over HTTPS (DoH), is a sensation in modern times, designed for enterprise security products and policies. A combination of DNS protocol and HTTPS protocol, DoH affects businesses, organisations, and regular users. DNS over HTTPS is used to enhance the security of network communication.

As part of our methodology, we ensure that customers are aware DNS security review is included in the in-depth Active Directory Security Review. Not many security assessments indeed cover an in-depth secure reviews of DNS configuration for an organisation. 

What is DNS over HTTPS (DoH)?

In the late 1980s, the Internet Engineering Task Force (IETF) proposed the concept of DNS Over HTTPS because of the rise in malicious attacks on networks. Earlier, DNS queries between the web application and the servers of the DNS were done in plain text using the settings given by the network provider or ISP (Internet Service Provider).

The DoH aids the DNS queries by sending them guised as regular HTTPS traffic, but to special servers that support DoH. The server which supports DoH is called DoH resolver. In this, both the DNS request and response of that request are encrypted to keep the users’ privacy secured.

DoH is a network protocol used to communicate with domain name server information in an encrypted form over HTTPS traffic. It uses the hypertext transfer protocol secure to encrypt the DNS traffic bypassing the DNS queries, and it hides the DNS query and improves online privacy.

Popular DoH clients include Google Chrome, Mozilla Firefox and Microsoft Edge. They support Doh and deploy DoH as well for data protection and privacy of users.

Discuss your concerns today

How does DNS over HTTPS work?

Before diving further into the working of servers DNS over HTTPS, let’s take a look at the mechanism of traditional DNS.

All websites are hosted on web servers, and every web server has its own assigned IP address. In order to access a website, first, we need to access its IP addresses. Here comes the role of DNS servers. For instance, the server converts the hostname, https://xyz.com, into its corresponding IP address.

Whenever any user enters a website or hostname into the web browsers, that HTTP request is sent to the DNS resolver. If the DNS resolver is unaware of the entered hostname, that DNS request is passed to the root name servers. The root name servers handle the leading domains like .com, .org and .edu. The notable DNS servers’ address is sent by the root servers back to the DNS resolver.

Now, the top-level domain servers receive the request sent by the resolver. The top-level domain server returns the IP address of the DNS server that handles the requested domain after receiving the request of the resolver. Now the resolver again sends the request to that IP address of the DNS server. In this way, a DNS server dispatches the IP address of a website or a hostname that the user is trying to access.

Following this, the browser can submit an HTTP or HTTPS request to that IP address, allowing the user to access the requested website. Although caching can help speed up this procedure in some cases, this is the core of how traditional DNS works.

Differences Between DoH And DNS

DNS over HTTPS (DoH) works the same as DNS. However, there are two main differences between DNS over HTTPS and DNS.

One of the major differences is that DNS requests are now encrypted within the HTTPS protocol session instead of using HTTP as in the past. These DNS requests are sent over port 443 just like the normal HTTPS web traffic. The web browsers and the servers (DNS) must support DNS over HTTPS for the proper working of DoH.

Differences Between DoH And DNS

The other major difference between DNS and DoH servers is that DoH tries to keep the amount of data transmitted during DNS queries to a minimum. Instead of sending the full domain name that a user’s browser is trying to resolve, it sends the required portion of the domain name necessary to execute the current step successfully. Let’s illustrate this with an example. Suppose a browser is trying to access https://xyz.com, then the Doh servers do not need to know the entire domain name; it only needs to know that it is a .com domain address.

Standard DNS vs DNS over HTTPS

If any traffic filtering solution is not used, standard DNS communications are more likely to be vulnerable to man-in-the-middle attacks (MITM). This happens because the communication occurs via plain text.

As we all know, privacy is the most vital concern in present times, and that is where the DoH protocol came in to improve the privacy factor by encrypting DNS. Being a superior protocol, a DoH enabled setting offers better prevention from man-in-the-middle attacks.

Once enabled, no one can see the DNS requests between the browser and the DNS servers, thus securing the users’ privacy.

DNS over HTTPS (DoH) vs DNS over TLS (DoT)

Both DoH (DNS over HTTPS) and DoT (DNS over TLS) are used for the same purpose, which is for encrypting DNS communications.

In DNS over HTTPS, the encrypted DNS traffic is not completely invisible to the network admins, which could be an issue. Whereas, in DNS over TLS, the network administrators cannot even see the encrypted DNS traffic.

Another significant difference between the DNS over HTTPS and DNS over TLS is that DoH uses port 443, whereas DoT uses its own TLS dedicated port 853. All the HTTPS communications are done on port 443.

Servers DoH on Web browsers

Most well-known browsers use DNS over HTTPS to provide better privacy to their users. Let’s see how to enable this DNS over HTTPS or DoH to keep the DNS traffic encrypted. No one can see the DNS data thanks to the encrypted DNS traffic. Some of the most popular browsers supporting DoH are Chrome (Google), Mozilla, Edge, and Brave. Next up, we will demonstrate the steps to enable DoH support on each of the browsers.

DoH on Web browsers

Google Chrome

How to enable DNS over HTTPS on Chrome?

  • First, open your Google Chrome browser.
  • Click on the triple dot present in the upper right corner of the browser.
  • Open settings
  • Now go to Security and Privacy
  • Click on Security
  • Now scroll down and enable the use of secure DNS.

This way, DNS over HTTPS can be enabled in Chrome for the privacy of users.

Mozilla Firefox

How to enable DNS over HTTPS on Mozilla Firefox?

  • First, open your Mozilla Firefox browser.
  • Click on the triple dot present in the upper right corner of the browser.
  • Click on Settings.
  • Go to General Settings.
  • Now scroll down and go to Network Settings.
  • Click on Settings.
  • Now scroll down and enable DNS over HTTPS.

Microsoft Edge

How to enable DNS over HTTPS on Microsoft Edge?

  • First, open your Microsoft Edge application.
  • Click on the triple dot present in the upper right corner.
  • Click on Settings.
  • Go to Privacy.
  • Scroll down and go to security.
  • Now enable the use secure DNS option present.
  • Now choose your preferred DNS providers. For example, you can choose Cloudflare (1.1.1.1).

Brave

How to enable DNS over HTTPS on Brave?

  • Open your Brave application.
  • Go to settings.
  • Click on the menu and scroll down.
  • Click on Additional Settings present on the left side of the menu.
  • Go to Privacy and Security.
  • Click on Security.
  • Now enable the DoH option present there.

To choose a custom DNS provider, for example, Cloudflare, click on With Custom option and click on the drop-down menu to choose DNS providers. Click on Cloudflare (1.1.1.1).

This way, you can enable DoH and choose your own DNS providers.

Discuss your concerns today

How to check if a browser is configured with DoH or not?

You can check whether your browser application is properly configured or integrated with DoH by following these simple steps:-

  • Open the browser you want to check whether that is configured.
  • Type https://1.1.1.1/help in the URL bar of the application.
  • Now, make sure Using DNS Over HTTPS (DoH) is yes.

If your application is showing Using DNS Over HTTPS (DoH) no, follow the steps mentioned above in this blog post.

How to enable DNS over HTTPS in Windows 10 settings?

With malicious websites scouring the internet and gaining access to file systems, enabling DoH protocols on the internet menu cannot be seen as the only safe way. We need to look beyond the internet menu to secure user privacy. Enabling DoH on your operating systems is one such way. This will allow all users and applications to avail of this benefit across all browsers without the need to integrate it separately. Windows 10 being one of the more popular operating systems, we have demonstrated the steps to enable DoH in Windows 10. Follow these steps:-

  • Open the settings in your machine having the operating system as Windows 10.
  • Now go to Network and Internet menu.
  • Click on settings and find Network Status and then open it.
  • Click the preferred desired internet connection and open the properties of that network.
  • Go for the IP Settings and edit that setting.
  • Go for the manual selection, and enable IPv4.
  • Now enter the IP address of your favoured DNS and alternate DNS.

How to enable DNS over

Here are some of the DoH providers that Windows 10 currently supports:-

Cloudflare:- Primary IP- 1.1.1.1, Alternate IP- 1.0.0.1

Google:- Primary IP- 8.8.8.8, Alternate IP- 8.8.4.4

Quad9:- Primary IP- 9.9.9.9, Alternate IP- 149.112.112.112

For encryption of both encrypted and alternate, select Encrypted only. If you want to configure IPv6, you can use the following steps mentioned above for IPv4.

IPV6 IP Addresses

For IPV6, you can use these Primary and Secondary IP addresses that are supported on Windows 10:-

  • Google:- Primary IP – 2001:4860:4860::8888, Secondary IP – 2001:4860:4860::8844
  • Cloudflare:- Primary IP – 2606:4700:4700::1111, Secondary IP – 2606:4700:4700::1001
  • Quad9:- Primary IP – 2620:fe::fe, Secondary IP – 2620:fe::fe:9

How to enable DOH in the Windows 10 Registry?

In Windows 10, enabling DoH can be done in two ways. First via Windows 10 and second via the Windows 10 registry. Let’s see how we can use the Windows 10 registry for enabling DoH in windows 10.

Following are the steps that can be used to enable DoH:-

  • Open Registry Editor on your machine.
  • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters.
  • With a value of 2 namings, “EnableAutoDoh” create a DWORD.
  • Now restart your Windows 10 machine.

Right now, Windows 10 supports three DoH providers. Therefore, after restarting the machine, you need to edit the Primary IP address and Alternate IP address. The three DNS providers available:- Google, Cloudflare and Quad9. Primary and Alternate IP addresses are already mentioned above; you can use those.

Now you can change the present entries in your network adapter’s Internet Protocol Version 4 (TCP/IPv4) with one of the three DoH providers mentioned and supported by Windows 10. If necessary, repeat the process for IPv6.

Benefits of DNS over HTTPS over DNS servers (DoH)

The benefits of using DNS over HTTPS are many. One of the most important benefits of using DNS over HTTPS is that the DoH hides the users’ online activities by encrypting the DNS Name resolution traffic. In order to resolve a domain into an IP address, a typical DNS query is required to convert the entered domain name in the web browser.

Unless the DNS server is located on the local network, the request regarding the resolution of the name should pass through the ISP network (Internet Service Provider) along with all the routers present between the ISP and the Domain Name System servers. These name resolution requests can be seen by the ISP easily. By monitoring the DNS requests regarding the name resolution, Internet Service Providers can easily see which site a user is visiting and much more.

Here comes the role of DNS over HTTPS (DoH). DNS over HTTPS hides the name resolution request not just from the ISP but from everyone as well. This way, DNS over HTTPS (DoH) shields the users.

It also prevents attacks, including Man-in-the-Middle attacks (MITM) and spoofing, because the communication between the DNS servers and the web browsers is totally encrypted. Therefore, no one can manipulate the name resolution request and make the user’s browser visit malicious websites.

Discuss your concerns today

Additional Benefits Of DoH

Enlisted here are some of the added benefits you will enjoy after switching to DoH from regular DNS.

  • Your organisation’s data privacy and security can be improved if you enable DoH properly.
  • The compatibility of the DNS traffic filter and DoH can be tested out.
  • You have the opportunity to test how DoH will connect with your networks ahead of time and address any issues that may emerge before the DoH protocol becomes the standard.
  • Your input could help all software companies improve their products, which would benefit you in the long run.

Limitations of DNS over HTTPS

  • False-negative security flags and blocked queries can be generated if the system administrator is unfamiliar with DoH or similar protocols.
  • The DNS over HTTPS will be totally ineffective if the DNS traffic filtering solution does not work properly or integrate with DoH.
  • It overcomes any DNS filtering your network employs in order to offer security and network information.
  • It offers a unique experience in comparison to web browsing and the rest of your computer and network. You could have certain DNS packets travelling to one recursive server and others going through your network settings, resulting in a varied experience from your browser to the rest of your network.

Is DoH really slower?

In DoH, we need to pay for security and privacy at a slower speed. This happens because there is a lot of HTTPS or web traffic that needs to be encrypted or decrypted. Therefore, it is common to take more time or longer than unencrypted communications.

DoH takes the longest to load any page among all other DNS encrypting protocols. But still, the difference between encrypted and unencrypted load times is quite slim.

How to quicken the encrypted DNS?

With privacy and online activity being under the scanner, developers constantly look for newer technologies to safeguard user interest. DoH indeed affects the connection speed negatively, meaning encrypted DNS traffic is visibly slower. However, it is not the case for all the DNS protocols.

Another variant of encrypted DNS present is DNS over TLS or Transport Layer Security (DoT). DoT is the latest variation of SSL (Secure Socket Layer).

DoH and DoT are almost the same, with minor differences. They perform the same function of encrypting the DNS traffic and keeping the DNS secure and our communication private. The main difference here is the amount of time. DoT performs encryption and decryption faster than DoH. A recent study has found that the performance of DoT, DoH, and unencrypted DNS varies depending on the client and that no protocol excels in all situations.

Discuss your concerns today

Conclusion

DoH protocol is still in its early stages, with cyber security products constantly evolving. However, it has to be accepted that the DNS era might be breathing its last any day now. With a relentless exploration of DoH queries, DoH traffic, enterprise policies may soon bank upon it for added security.

BOOK A CALL