Table of Contents
DNS over HTTPS (DoH)
DNS over HTTPS (DoH) is a protocol that improves the privacy and security of DNS queries by encrypting them and sending them over HTTPS (Hypertext Transfer Protocol Secure). DoH is defined in RFC 8484 and was designed to address the issue of traditional DNS queries being sent in plaintext, making them vulnerable to surveillance, interception, and tampering. By encapsulating DNS queries within HTTPS traffic, DoH ensures that these queries are encrypted, indistinguishable from other web traffic, and protected from potential eavesdropping or manipulation by third parties.
The primary motivation for DoH is to protect the privacy of users by preventing intermediaries, such as ISPs or network operators, from seeing the domain names being queried. Traditionally, DNS queries are sent in plaintext over port 53, which allows anyone monitoring the network to view the domains users are visiting. With DoH, DNS queries are encrypted and sent over port 443 (the same port used for HTTPS), making it much more difficult for third parties to intercept and inspect these queries.
DoH also offers protection against man-in-the-middle attacks, where attackers might intercept and modify DNS queries to redirect users to malicious websites. By using encryption, DoH ensures the integrity of DNS queries and responses, preventing unauthorized parties from altering DNS traffic. This is especially important in insecure or untrusted networks, such as public Wi-Fi hotspots, where DNS traffic is particularly vulnerable.
RFC 8484 outlines how DoH works by encapsulating DNS messages within HTTP/2 or HTTP/3 requests and responses. When a user queries a domain name using DoH, the DNS request is sent as a standard HTTPS request to a DoH-enabled DNS resolver. The resolver processes the DNS query and responds with the appropriate DNS record, which is also encapsulated within an HTTPS response. This process ensures that the DNS traffic is encrypted in the same way as regular web traffic.
One of the key advantages of DoH over other encrypted DNS protocols, such as DNS over TLS (DoT), is its ability to blend DNS traffic with regular HTTPS traffic. Because DoH runs on port 443, it is indistinguishable from other web traffic to network administrators or surveillance systems. This characteristic makes DoH particularly useful in environments where DNS queries might be censored, blocked, or otherwise restricted, as it becomes more challenging to identify and block DNS queries without blocking legitimate HTTPS traffic.
Another important feature of DoH is its ability to integrate seamlessly with web browsers. Modern web browsers, such as Mozilla Firefox and Google Chrome, have implemented built-in support for DoH, allowing users to enable encrypted DNS queries directly from their browser settings. This makes it easy for users to adopt DoH without needing to configure their operating system or network settings. Additionally, some operating systems, like Windows 11, have introduced native support for DoH, further simplifying its adoption.
Despite its privacy and security benefits, DoH has sparked debate and controversy, particularly among network administrators and ISPs. One of the concerns is that DoH can bypass traditional DNS filtering mechanisms used by organizations to block access to malicious or inappropriate websites. Because DoH encrypts DNS queries and sends them over HTTPS, it can be challenging for network administrators to monitor or block specific DNS requests. This has led to concerns that DoH could undermine security policies or parental controls in corporate or home networks.
Another concern with DoH is the potential centralization of DNS services. With the rise of public DoH resolvers offered by major companies, such as Cloudflare and Google, there is a risk that a significant portion of DNS traffic could be concentrated among a few large providers. This centralization could lead to privacy risks if these providers log or analyze DNS queries. While many public DoH providers offer no-logging policies, the reliance on centralized resolvers remains a point of concern for privacy advocates.
To mitigate these concerns, organizations can deploy their own DoH resolvers or configure their networks to route DoH queries through trusted internal DNS servers. This allows organizations to maintain control over their DNS infrastructure while still benefiting from the privacy and security enhancements provided by DoH. Some solutions also allow administrators to combine DoH with traditional DNS filtering and monitoring tools, ensuring that security policies are enforced while protecting user privacy.
The performance of DoH is another factor that has been carefully considered in its development. While encapsulating DNS queries in HTTPS adds some overhead compared to traditional unencrypted DNS queries, modern implementations of DoH leverage optimizations like HTTP/2 multiplexing and connection reuse to minimize latency. By keeping a persistent HTTPS connection open for multiple DNS queries, DoH can reduce the impact of TLS handshakes and provide performance comparable to traditional DNS.
DoH is part of a broader movement towards encrypting more internet traffic to enhance privacy and security. As users become more aware of the risks of unencrypted network traffic, protocols like DoH are becoming increasingly important for ensuring that sensitive information, such as browsing habits, remains private. The widespread support for DoH across browsers, operating systems, and DNS providers suggests that its adoption will continue to grow, making it a key part of the future internet security landscape.
Conclusion
DNS over HTTPS (DoH), defined in RFC 8484, provides an essential mechanism for encrypting DNS queries and responses, protecting them from surveillance and tampering. By encapsulating DNS traffic within HTTPS, DoH ensures that DNS queries are private and secure, even in hostile or restricted network environments. Despite concerns about centralization and the impact on DNS filtering, the adoption of DoH continues to grow, driven by the need for enhanced privacy and security on the modern internet. Its integration into web browsers and operating systems further cements DoH's role in the future of secure internet communication.