Home » Wiki » What is DNS over HTTPS (DoH): Meaning, Benefits and Risks

What is DNS over HTTPS (DoH): Meaning, Benefits and Risks

by | SSL Certificate

DNS over HTTPS (DoH)

What is DNS over HTTPS (DoH)

DNS over HTTPS (DoH) is a protocol for performing DNS resolutions via the HTTPS protocol. It encrypts DNS queries to prevent eavesdropping and manipulation. DoH also provides privacy benefits by hiding DNS queries from network operators. The protocol uses standard HTTPS ports (443) and connections to send DNS queries over an encrypted TLS channel. Web browsers and operating systems have started supporting DoH to improve security and privacy.

However, DoH also raises challenges around caching, monitoring, and content filtering as DNS traffic is encrypted. Overall, DoH aims to improve DNS security and privacy against various threats like eavesdropping, manipulation, and censorship.

However, it also surfaces new policy and technical considerations around the management of encrypted DNS traffic.

Key Takeaways

  • DNS over HTTPS (DoH) encrypts DNS queries and responses using HTTPS to increase privacy and security.
  • DoH prevents DNS spoofing attacks and hides DNS queries from network providers to protect privacy.
  • Major browsers like Chrome, Firefox, and Edge support DoH, and popular apps like Cloudflare and Google DNS do.
  • DoH can bypass filters and controls organizations use to block malicious sites or enforce policies. This causes concerns about its risks.
  • DoH’s benefits include improved security, privacy, performance, and DNS accessibility. Risks relate to bypassing filters and losing visibility over DNS traffic.
  • Organizations can mitigate the risks of DoH by using enterprise certificates, running an internal DoH server, or inspecting HTTPS traffic.

How Does DNS over HTTPS Work?

Traditional DNS uses port 53 to send queries and responses as plain text with no encryption. This allows DNS traffic to be read or modified by attackers on the network path.

DNS over HTTPS instead transmits DNS messages within HTTPS requests and responses, similar to accessing a webpage over HTTPS. It uses TCP port 443 to blend in with normal HTTPS web traffic.

The benefits of using HTTPS for DNS data include:

  • Encryption: Prevent snooping or tampering with DNS queries and responses
  • Integrity: HTTPS protections detect tampering like man-in-the-middle attacks
  • Authentication: Confirm the DNS data comes from the trusted DNS server
  • Privacy: Hide DNS queries from network providers and snoopers

DoH encapsulates DNS messages within HTTPS POST requests to a DoH-enabled server such as Cloudflare or Google DNS. The DoH server performs the DNS resolution and returns the result within an HTTPS response.

DoH encapsulates DNS queries within HTTPS to encrypt traffic and enhance privacy.

This process occurs automatically. Browsers and apps with DoH support will send DNS queries over HTTPS rather than plain text UDP.

On the DNS server side, implementations like Cloudflare and Google Public DNS include proxies that speak the DoH protocol. DNS software like BIND and Unbound can also be enabled for DoH.

Major Implementations of DNS over HTTPS

DNS over HTTPS is being adopted rapidly across major browsers, operating systems, apps, and DNS services:

Browser Support

  • Google Chrome: DoH is enabled by default for US users on Chrome 79+ for supported configurations. It was rolled out to other regions, such as Canada, the UK, France, Germany, and Japan, in Chrome 83.
  • Mozilla Firefox: In partnership with Cloudflare, Mozilla Firefox 83+ now automatically enables DoH for US users. It is also rolling out to other countries.
  • Microsoft Edge: Released DoH support in Edge 83 for Windows and macOS using Cloudflare or Google DNS servers. It’s not enabled by default yet.
  • Apple Safari Implements DoH on macOS 11.3+ and iOS 14.5+ and is enabled by default for Siri requests. It uses the DNS servers and profiles provided by the network.

Operating Systems

  • Android 9+: If enabled, it Supports DoH system-wide, using Google Public DNS over HTTPS. It is not yet on by default.
  • Windows 10 v1909+: To use DoH with Cloudflare or Google DNS resolvers, it can be enabled system-wide, but it is off by default.
  • ChromeOS: Enables DoH for Chrome browser traffic. Planning to support system-wide activation.

Apps and Services

  • Cloudflare: Operates public DoH resolver at 1.1.1.1. It also offers origin server support and enterprise DNS gateway.
  • Google: Provides DNS over HTTPS resolver at 8.8.8.8. It is integrated with Chrome browser and Android OS.
  • Quad9: Cybersecurity-focused public DoH resolver available at 9.9.9.9 and 149.112.112.112.
  • OpenDNS: Enterprise DNS provider supports DoH as an option for clients and internal resolvers.
  • AWSAzure, etc: Major cloud providers offer DoH compatibility within their platforms and services.

This wide adoption means DoH usage is accelerating rapidly. By defaulting to DoH in major browsers, a large portion of DNS traffic is now encrypted for improved privacy and security.

What are the Benefits of Using DNS over HTTPS

There are several significant benefits to the DNS over HTTPS approach:

Enhanced Privacy

DoH prevents network providers and snoopers from observing DNS queries, which can reveal a lot about a user’s activity and interests. For example, an ISP can see every domain you look up and the connection you make.

By tunneling DNS within HTTPS, the full URL path and data are encrypted. This protects privacy and hides DNS queries from network-level surveillance.

Better Security

Encrypting DNS queries and responses protects against surveillance, man-in-the-middle attacks, and DNS spoofing. Valid certificates confirm the identity of the DoH server.

This prevents malicious actors from hijacking or altering DNS traffic to redirect victims to phishing sites or intercept credentials.

Bypasses Censorship and Blocking

Authoritarian regimes commonly block or alter DNS lookups to websites they want to censor, such as news outlets. Circumventing these controls is a benefit for users in these regions.

Some restrictions in democratic countries like UK site-blocking orders may also be bypassed by DoH, for better or worse.

Improved Performance

DoH uses persistent HTTP keepalive connections rather than UDP. This can result in faster DNS lookups, especially on poor mobile networks where UDP packets are often dropped.

Better Accessibility

Relying on HTTPS connectivity makes DoH more robust on restrictive networks. Many public WiFi networks block UDP port 53 for DNS but allow TCP port 443 connections.

DoH also adds redundancy, as DNS can fall back to HTTPS rather than failing if UDP is blocked. This enhances the accessibility of DNS.

Prevents DNS Hijacking

There have been instances of DNS hijacking by state-backed groups targeting telecom providers and ISPs. DoH’s encryption helps protect against these attacks on DNS infrastructure to block access or redirect traffic.

Concerns and Risks With DNS over HTTPS

While DoH brings meaningful benefits, it also introduces some risks and tradeoffs:

Bypasses Organizational Security Controls

Businesses, schools, and networks often use on-premise DNS filtering to implement security policies and block access to malicious sites, adult content, etc. However, clients can potentially bypass these controls by tunneling through DoH.

This can reduce visibility over end-user activity and weaken enforcement of acceptable usage policies for devices on the network.

Circumvents Parental Controls

In a similar vein to the above, parents relying on DNS-based parental control software could find children bypassing blocked categories using browsers with DoH enabled.

Loss of DNS Query Visibility

IT teams often monitor DNS queries to detect security events, analyze traffic, and identify problems. DoH encryption prevents this passive monitoring of DNS requests on the network.

Router-Based DNS Functionality Breaks

Consumer routers and devices often rely on observing DNS queries to implement value-added features like parental controls, site blocking, ad blocking, and more. DoH breaks this functionality.

Facilitates Data Exfiltration

The encryption provided by DoH could assist insider threats and malware in covertly exfiltrating data over DNS. Traditional DNS monitoring would catch unusual volumes of traffic.

Reliance on Potentially Less Trustworthy DNS Providers

Shifting DNS resolutions to third parties like Google and Cloudflare reduces the trust model in their infrastructure and policies. Some view this as inherently more risky than on-premise DNS.

How Organizations Can Manage the Risks of DoH

For organizations that want to utilize DoH while balancing the need for visibility and control, there are solutions to mitigate the potential risks:

Deploy Internal DoH Servers

Run an internal DoH server like BIND or Unbound configured with organizational certificates. Through policy, clients can be directed to use this enterprise DoH resolver, which maintains encryption while retaining DNS query visibility.

Utilize Enterprise Certificates

Configure clients to only accept DoH connections to internally trusted certificate authorities or locally installed enterprise certs. This prevents them from using external DoH servers.

Inspect HTTPS Traffic

Run HTTPS inspection capabilities on corporate proxies and firewalls to decrypt and scan DoH traffic for policy enforcement. This can mitigate some risks around visibility.

Disable DoH on Endpoints

Disable DoH at the OS level on endpoints for device management systems and network agents. This forces DNS to fall back to plain text for corporate monitoring.

Block DoH Protocols

As a last resort, TCP Port 443 connections to public DoH IP addresses should be blocked via firewall policies to prevent external DoH usage. This retains visibility but sacrifices encryption.

Shift to Endpoint-Based Controls

For wider endpoint management, implement agent-based restrictions and blocking on devices rather than network controls. This allows DoH to adopt policies.

Isolate Guest Networks

Segment guest networks and BYOD and IoT devices away from internal resources. Limit trusted access and enforce controls at these boundaries. This reduces the risk from DoH-enabled clients.

Monitor Broader HTTPS Traffic

Expand HTTPS inspection and certificate checks beyond DNS-specific tools. To retain visibility, look for patterns of DoH usage within overall HTTPS flows.

Embrace DoH But Control Access

Recognize DoH’s benefits for security and performance. Develop policies and tools to control its usage where needed rather than blanket blocking selectively.

Final Thoughts

DNS over HTTPS represents a major evolution in securing Domain Name System traffic. By encrypting DNS queries and responses within HTTPS connections, DoH protects privacy, prevents tampering, and circumvents censorship.

Mass adoption by browsers and operating systems is driving the rapid growth of DoH. However, these security benefits come with potential tradeoffs around visibility and control for organizations.

IT teams should strike a balance between enabling DoH for performance and privacy while still providing necessary protections. Deploying internal DoH resolvers, inspecting HTTPS traffic, and shifting to endpoint-based controls can help successfully adopt DoH while managing associated risks.

The future is moving strongly toward encrypted protocols like DoH becoming the standard for Internet foundational technologies like DNS. Organizations that plan and embrace this transition will be best positioned for the future.

FAQs About DNS over HTTPS (DoH)

What is DNS over HTTPS (DoH)?

DNS over HTTPS (DoH) encrypts DNS queries and responses by tunneling them through HTTPS connections instead of sending them as plain text. This protects privacy and security.

How does DoH enhance privacy?

DoH hides DNS queries from network providers by encrypting them within HTTPS traffic, improving privacy by preventing tracking of sites you visit.

Does DoH prevent DNS spoofing?

Yes, the cryptographic protections of HTTPS certificates prevent man-in-the-middle attacks and spoofing that are possible with plain text DNS queries.

Will DoH bypass my organization’s web filter?

Yes, as DoH encryption can prevent on-network devices from seeing DNS requests to block malicious or unauthorized sites.

Can DoH be used maliciously for data exfiltration?

Theoretically, yes, but in practice, DoH is not an effective method for large-scale data exfiltration compared to covert channels.

Is DoH going to completely replace traditional DNS?

Not completely, as many servers and non-DoH clients will still use traditional DNS. However, DoH is becoming the preferred method for DNS privacy and security.

What are the risks of relying on DoH providers like Cloudflare?

The main risks include trusting third parties for DNS resolution and losing visibility into queries. However, public DoH providers offer high levels of reliability, performance, and threat intelligence.

Priya Mervana

Priya Mervana

Verified Badge Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.