DNS over HTTPS (DoH) is a protocol that aims to enhance online privacy by encrypting domain name system (DNS) traffic. It achieves this by passing DNS queries through a secure, encrypted session using Hypertext Transfer Protocol Secure (HTTPS). The goal of DoH is to hide DNS queries from view and increase data privacy and security for users. Popular web browsers such as Mozilla Firefox, Microsoft Edge, and Google Chrome have implemented support for encrypted DoH.
To understand how DoH works, one must first grasp the functioning of regular DNS. Websites are hosted on web servers, each of which has an associated Internet Protocol (IP) address. When a browser wants to access a website, it needs to determine the site’s IP address, which is where DNS plays a crucial role. A DNS server’s purpose is to convert a hostname, like “whatis.com,” into an IP address. DNS maps the name of a website to the IP address used by a computer to locate the website.
When a user enters a hostname into their browser, the request is sent to a recursive resolver. If the resolver does not already know how to resolve the query, it passes the request to a root name server. The root server handles top-level domains such as “.com,” “.org,” or “.edu,” and it provides the address of the appropriate top-level DNS server back to the resolver. If the user is trying to access a “.com” site, the root DNS would provide the address associated with the “.com” top-level domain server. The resolver then sends the request to this DNS server, which returns the IP address of the website the user is trying to access. The browser can then issue an HTTP or HTTPS request to that IP address and access the requested website.
DoH works similarly to regular DNS, with two key differences. Firstly, DNS requests in DoH are encapsulated within an HTTPS session, using port 443. Both the browser and the DNS server must support DoH for it to function. Secondly, DoH aims to minimize the information transmitted during DNS queries. It only sends the portion of the domain name necessary for the current step in the name resolution process, rather than the full domain name. For example, the DNS root does not need to know that the user’s browser is trying to resolve “whatis.com.” It only needs to know that the browser is trying to resolve a “.com” address.
There are several benefits to using DoH. The primary advantage is that encrypting DNS name resolution traffic helps to hide online activities. In the traditional DNS setup, name resolution requests pass through the internet service provider’s network and any routers, making them visible to potential eavesdroppers. DoH obscures these requests from ISPs and anyone monitoring intermediary networks, enhancing privacy. DoH also helps prevent DNS spoofing and man-in-the-middle attacks by encrypting the session between the browser and the DNS server, making it difficult for attackers to alter resolution results or redirect users to fraudulent websites.
Despite the advantages, DoH has faced criticism and controversy. Comcast and other opponents have raised concerns that it concentrates DNS data with companies like Google, potentially giving them control over internet traffic routing and access to substantial amounts of consumer and competitor data. In enterprise settings, DoH can pose challenges as it encrypts name resolution requests, creating blind spots for security monitoring. Businesses often use DNS monitoring to block access to malicious or inappropriate sites and detect malware attempts. DoH may disrupt these monitoring practices.
Nevertheless, web browsers have started to embrace DoH. Mozilla announced DoH support for their Firefox browser, which now passes DoH traffic through Cloudflare by default. Microsoft’s Edge browser, based on Google’s Chromium, plans to support DoH soon. While users can currently enable DoH in the Chromium-based Edge browser using a hidden configuration option, it will become a standard feature. Google Chrome also supports DoH, though it is not enabled by default. Once enabled, Chrome attempts to use the same DNS servers previously configured, encrypting name resolution requests if those servers support DoH; otherwise, it resorts to unencrypted DNS traffic.
In conclusion, DNS over HTTPS is a protocol that encrypts DNS traffic to improve online privacy. It works similarly to regular DNS but encapsulates requests within an HTTPS session and minimizes the information transmitted in queries. DoH benefits users by hiding online activities and preventing DNS spoofing and man-in-the-middle attacks. However, it has drawn criticism due to concerns about data concentration and potential disruption of security monitoring in enterprise environments. Nevertheless, major web browsers like Firefox, Edge, and Chrome have implemented support for DoH, albeit with some variations in default settings and configuration options.