A new protocol, DNS over HTTPS (DoH), is a sensation in modern times, designed for enterprise security products and policies. A combination of DNS and HTTPS protocols, DoH affects businesses, organisations, and regular users. DNS over HTTPS is used to enhance the security of network communication.
As part of our methodology, we ensure that customers know DNS security review is included in the in-depth Active Directory Security Review. Not many security assessments indeed cover in-depth secure reviews of DNS configuration for an organisation.
What is DNS over HTTPS (DoH)?
In the late 1980s, the Internet Engineering Task Force (IETF) proposed the concept of DNS Over HTTPS because of the rise in malicious network attacks. Earlier, DNS queries between the web application and the servers of the DNS were done in plain text using the settings given by the network provider or ISP (Internet Service Provider).
The DoH aids the DNS queries by sending them disguised as regular HTTPS traffic to special servers supporting DoH. The server that supports DoH is called the DoH resolver. The DNS request and response to that request are encrypted to keep the users’ privacy secure.
DoH is a network protocol used to communicate with domain name server information in an encrypted form over HTTPS traffic. It uses the secure hypertext transfer protocol to encrypt the DNS traffic, bypassing the DNS queries, and it hides the DNS query and improves online privacy.
Popular DoH clients include Google Chrome, Mozilla Firefox and Microsoft Edge. They support DoH and deploy DoH for data protection and user privacy.
How does DNS over HTTPS work?
Before diving further into the working of servers’ DNS over HTTPS, let’s look at the mechanism of traditional DNS.
All websites are hosted on web servers, and every web server has its own assigned IP address. First, we need to access a website’s IP addresses. Here comes the role of DNS servers. For instance, the server converts the hostname, https://xyz.com, into its corresponding IP address.
Whenever any user enters a website or hostname into the web browsers, that HTTP request is sent to the DNS resolver. Suppose the DNS resolver is unaware of the entered hostname, and the DNS request is passed to the root name servers. The root name servers handle the leading domains like .com, .org and .edu. The root servers send the notable DNS servers’ addresses back to the DNS resolver.
Now, the top-level domain servers receive the request sent by the resolver. The top-level domain server returns the IP address of the DNS server that handles the requested domain after receiving the request from the resolver. Now, the resolver sends the request to the IP address of the DNS server again. In this way, a DNS server dispatches the IP address of a website or hostname the user is trying to access.
The browser can then submit an HTTP or HTTPS request to that IP address, allowing the user to access the requested website. Although caching can help speed up this procedure in some cases, this is the core of how traditional DNS works.
Differences Between DoH And DNS
DNS over HTTPS (DoH) works the same as DNS. However, there are two main differences between DNS over HTTPS and DNS.
One of the significant differences is that DNS requests are now encrypted within the HTTPS protocol session instead of using HTTP as in the past. These DNS requests are sent over port 443 like the regular HTTPS web traffic. The web browsers and the servers (DNS) must support DNS over HTTPS to properly work DoH.
The other significant difference between DNS and DoH servers is that DoH tries to keep the amount of data transmitted during DNS queries to a minimum. Instead of sending the entire domain name that a user’s browser tries to resolve, it sends the required portion necessary to execute the current step successfully. Let’s illustrate this with an example. If a browser attempts to access https://xyz.com, then the Doh servers do not need to know the entire domain name; they only need to know that it is a .com domain address.
Standard DNS vs DNS over HTTPS
If any traffic filtering solution is not used, standard DNS communications are more likely to be vulnerable to man-in-the-middle attacks (MITM). This happens because the communication occurs via plain text.
As we all know, privacy is the most vital concern, and that is where the DoH protocol came in to improve the privacy factor by encrypting DNS. Being a superior protocol, a DoH-enabled setting offers better prevention from man-in-the-middle attacks.
Once enabled, no one can see the DNS requests between the browser and the DNS servers, thus securing the users’ privacy.
DNS over HTTPS (DoH) vs DNS over TLS (DoT)
Both DoH (DNS over HTTPS) and DoT (DNS over TLS) are used for the same purpose: encrypting DNS communications.
In DNS over HTTPS, the encrypted DNS traffic is not entirely invisible to the network admins, which could be an issue. Inin DNS over TLS, the network administrators cannot even see the encrypted DNS traffic.
Another significant difference between the DNS over HTTPS and DNS over TLS is that DoH uses port 443, whereas DoT uses its own TLS dedicated port 853. All the HTTPS communications are done on port 443.
Servers DoH on Web browsers
Most well-known browsers use DNS over HTTPS to provide better privacy to their users. Let’s see how to enable this DNS over HTTPS or DoH to encrypt the DNS traffic. No one can visit the DNS data thanks to the encrypted DNS traffic. Some of the most popular browsers supporting DoH are Chrome (Google), Mozilla, Edge, and Brave. Next, we will demonstrate the steps to enable DoH support on each browser.
Google Chrome
How do you enable DNS over HTTPS on Chrome?
- First, open your Google Chrome browser.
- Click on the triple dot present in the upper right corner of the browser.
- Open settings
- Now go to Security and Privacy
- Click on Security
- Now scroll down and enable the use of secure DNS.
This way, for users’ privacy, DNS over HTTPS can be enabled in Chrome.
Mozilla Firefox
How do you enable DNS over HTTPS on Mozilla Firefox?
- First, open your Mozilla Firefox browser.
- Click on the triple dot present in the upper right corner of the browser.
- Click on Settings.
- Go to General Settings.
- Now scroll down and go to Network Settings.
- Click on Settings.
- Now scroll down and enable DNS over HTTPS.
Microsoft Edge
How do you enable DNS over HTTPS on Microsoft Edge?
- First, open your Microsoft Edge application.
- Click on the triple dot present in the upper right corner.
- Click on Settings.
- Go to Privacy.
- Scroll down and go to security.
- Now enable the use of the secure DNS option present.
- Now, choose your preferred DNS providers. For example, you can select Cloudflare (1.1.1.1).
Brave
How do you enable DNS over HTTPS on Brave?
- Open your Brave application.
- Go to settings.
- Click on the menu and scroll down.
- Click on Additional Settings, which is present on the left side of the menu.
- Go to Privacy and Security.
- Click on Security.
- Now enable the DoH option present there.
To choose a custom DNS provider, for example, Cloudflare, click on the With Custom option and click on the drop-down menu to choose DNS providers. Click on Cloudflare (1.1.1.1).
This way, you can enable DoH and choose your own DNS providers.
How to check if a browser is configured with DoH or not?
You can check whether your browser application is configured correctly or integrated with DoH by following these simple steps:-
- Open the browser you want to check whether that is configured.
- Type https://1.1.1.1/help in the URL bar of the application.
- Make sure using DNS over HTTPS (DoH) is a good idea.
If your application shows Using DNS Over HTTPS (DoH) no, follow the steps mentioned above in this blog post.
How do you enable DNS over HTTPS in Windows 10 settings?
With malicious websites scouring the internet and gaining access to file systems, enabling DoH protocols on the internet menu cannot be seen as the only safe way. We need to look beyond the internet menu to secure user privacy. Enabling DoH on your operating systems is one such way. This will allow all users and applications to avail of this benefit across all browsers without integrating it separately. Windows 10 being one of the more popular operating systems, we have demonstrated the steps to enable DoH in Windows 10. Follow these steps:-
- Open the settings in your machine with the operating system set to Windows 10.
- Now go to the Network and Internet menu.
- Click on settings fin,d Network Status, and then open it.
- Click the preferred desired internet connection and open the properties of that network.
- Go for the IP Settings and edit that setting.
- Go for the manual selection and enable IPv4.
- Now, enter the IP address of your favoured DNS and alternate DNS.
Here are some of the DoH providers that Windows 10 currently supports:-
Cloudflare:- Primary IP- 1.1.1.1, Alternate IP- 1.0.0.1
Google:- Primary IP- 8.8.8.8, Alternate IP- 8.8.4.4
Quad9:- Primary IP- 9.9.9.9, Alternate IP- 149.112.112.112
For encryption of both encrypted and alternate, select Encrypted only. If you want to configure IPv6, you can use the abovementioned steps for IPv4.
IPV6 IP Addresses
For IPV6, you can use these Primary and Secondary IP addresses that are supported on Windows 10:-
- Google:- Primary IP – 2001:4860:4860::8888, Secondary IP – 2001:4860:4860::8844
- Cloudflare:- Primary IP – 2606:4700:4700::1111, Secondary IP – 2606:4700:4700::1001
- Quad9:- Primary IP – 2620:fe::fe, Secondary IP – 2620:fe::fe:9
How do you enable DOH in the Windows 10 Registry?
In Windows 10, enabling DoH can be done in two ways. First via Windows 10 and second via the Windows 10 registry. Let’s see how we can use the Windows 10 registry to enable DoH in Windows 10.
Following are the steps that can be used to enable DoH:-
- Open Registry Editor on your machine.
- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters.
- With a value of 2 namings, “EnableAutoDoh” create a DWORD.
- Now restart your Windows 10 machine.
Right now, Windows 10 supports three DoH providers. Therefore, after restarting the machine, you need to edit the Primary IP address and Alternate IP address. The three DNS providers available are Google, Cloudflare and Quad9. Primary and Alternate IP addresses are already mentioned above; you can use those.
Now, you can change the present entries in your network adapter’s Internet Protocol Version 4 (TCP/IPv4) with one of the three DoH providers mentioned and supported by Windows 10. If necessary, repeat the process for IPv6.
Benefits of DNS over HTTPS over DNS servers (DoH)
There are many benefits of using DNS over HTTPS. One of the most important benefits of using DNS over HTTPS is that the DoH hides the users’ online activities by encrypting the DNS Name resolution traffic. To resolve a domain into an IP address, a typical DNS query is required to convert the entered domain name in the web browser.
Unless the DNS server is located on the local network, the request regarding the resolution of the name should pass through the ISP network (Internet Service Provider) along with all the routers between the ISP and the Domain Name System servers. The ISP can easily see these name resolution requests. By monitoring the DNS requests regarding the name resolution, Internet Service Providers can easily see which site a user is visiting and much more.
Here comes the role of DNS over HTTPS (DoH). DNS over HTTPS hides the name resolution request not just from the ISP but from everyone as well. This way, DNS over HTTPS (DoH) shields the users.
It also prevents attacks, including Man-in-the-Middle attacks (MITM) and spoofing, because the communication between the DNS servers and the web browsers is encrypted. Therefore, no one can manipulate the name resolution request and make the user’s browser visit malicious websites.
Additional Benefits Of DoH
Enlisted are some of the benefits you will enjoy after switching to DoH from regular DNS.
- Your organisation’s data privacy and security can be improved if you enable DoH properly.
- The compatibility of the DNS traffic filter and DoH can be tested out.
- You can test how DoH will connect with your networks ahead of time and address any issues that may emerge before the DoH protocol becomes the standard.
- Your input could help all software companies improve their products, which would benefit you in the long run.
Limitations of DNS over HTTPS
- False-negative security flags and blocked queries can be generated if the system administrator is unfamiliar with DoH or similar protocols.
- The DNS over HTTPS will be ineffective if the DNS traffic filtering solution does not work correctly or integrate with DoH.
- It overcomes any DNS filtering your network employs to offer security and network information.
- It offers a unique experience compared to web browsing and the rest of your computer and network. Certain DNS packets could travel to one recursive server and others through your network settings, resulting in a varied experience from your browser to the rest of your network.
Is DoH slower?
In DoH, we need to pay for security and privacy faster. This happens because a lot of HTTPS or web traffic needs to be encrypted or decrypted. Therefore, taking more time or longer than unencrypted communications is common.
DoH takes the longest to load any page among all other DNS encrypting protocols. But still, the difference between encrypted and unencrypted load times is quite slim.
How to quicken the encrypted DNS?
With privacy and online activity under the scanner, developers constantly look for newer technologies to safeguard user interest. DoH affects the connection speed negatively, meaning encrypted DNS traffic is visibly slower. However, this is not the case for all the DNS protocols.
Another variant of encrypted DNS present is DNS over TLS or Transport Layer Security (DoT). DoT is the latest variation of SSL (Secure Socket Layer).
DoH and DoT are almost the same, with minor differences. They perform the same function of encrypting the DNS traffic and keeping the DNS secure and our communication private. The main difference here is the amount of time. DoT performs encryption and decryption faster than DoH. A recent study has found that the performance of DoT, DoH, and unencrypted DNS varies depending on the client and that no protocol excels in all situations.
Conclusion
DoH protocol is still in its early stages, with cyber security products constantly evolving. However, it has to be accepted that the DNS era might be breathing its last any day now. With a relentless exploration of DoH queries and DoH traffic, enterprise policies may soon bank upon it for added security.
