DNS over HTTPS (DoH)

What is DoH and why it’s important

 

DNS: The Address Book with a Privacy Gap

The Domain Name System (DNS) acts like an address book for the internet, translating user-friendly domain names (like http://google.com ) into numerical IP addresses that computers use. Designed in 1987, DNS didn't prioritize security or privacy. By default, DNS requests travel unencrypted, making them vulnerable to eavesdropping and manipulation. This means anyone can potentially see which websites you're trying to access.

A famous example of this vulnerability is the case of Kevin Mitnick. He was caught by the FBI because he used unencrypted traffic. The FBI was not able to decrypt traffic, they were able to track his activity by monitoring unencrypted DNS requests within a group of people requesting DNS at that specific time, after interviewing them all, it was obvious who has the skills to do that. While it's true that current encryption methods for data traffic are very strong and cannot be decrypted with today's technology, the future of quantum computing might change this. Quantum computers have the potential to break many current encryption methods, which could have a significant impact, especially for financial institutions. However, the development of large-scale quantum computers is likely to be delayed for some time

 

The Great Firewall's DNS Trickery

China's Great Firewall of China (GFW) exploits this weakness to censor content. Since DNS relies on a simple, unencrypted protocol, the GFW can impersonate both the user and the server to alter DNS responses. When a user tries to access a blocked website (like http://google.com ), the GFW can provide a fake IP address, directing the user to a different location within China instead of the real website.

 

Securing Your DNS with DoH

Just like HTTPS encrypts website traffic, DNS over HTTPS (DoH) encrypts your DNS requests. With DoH, your internet service provider (ISP) or other observers cannot see which websites you're trying to access. This adds a layer of privacy and security to our online browsing.

Why we run our own DoH resolver?

There are already some public DNS resolvers like 1.1.1.1 and 9.9.9.9 that support DNS over HTTPS, so you can use them. Starting with Firefox version 61, you can enable DNS over HTTPS in the browser settings, which is a big progress for Internet security and privacy. Firefox uses Cloudflare resolvers (1.1.1.1) by default. However, some folks argue that this allows Cloudflare (and others) to gather information on you. They seem to have more trust in their ISP than Cloudflare. But I think if you are paranoid about privacy, you should run your own DoH resolver with your own CA or just use “our’s” so neither Cloudflare nor your ISP can spy on you. I’m pretty sure here, the government agencies have direct access to the public DNS from those popular services. I can confirm, ISP’s have the government “black boxes” installed!

DoH vs DoT

Besides DNS over HTTPS, there’s another protocol that also aims to encrypt DNS queries. It’s called DNS over TLS (DoT).

It’s more advantageous to use DoH.

  • DoT operates on TCP port 853, which can be easily blocked by a national firewall.

  • DoH operates on TCP port 443, which is the standard port for HTTPS websites, which makes DoH super hard (almost impossible) to block, because if TCP port 443 is blocked, then nearly all HTTPS websites will also be blocked.

Another advantage of DoH is that it allows web applications to access DNS information via existing browser APIs, so no stub resolver is needed.