Resources  »  Learning Center  »  DNS Over HTTPS (DoH): Definition, Key Benefits, and Potential Limitations

DNS Over HTTPS (DoH): Definition, Key Benefits, and Potential Limitations

What is DNS Over HTTPS?

DNS Over HTTPS (DoH) is a protocol that allows DNS queries to be transmitted over HTTPS, instead of the traditional unencrypted DNS protocol (UDP-based). Typically, when you browse the internet, your computer or device needs to translate a human-readable domain name (like example.com) into an IP address that servers can understand. This translation process is done by a DNS resolver.

Traditionally, DNS requests are sent in plaintext, meaning that anyone monitoring your internet traffic—such as your internet service provider (ISP), government agencies, or cybercriminals—can see what websites you’re visiting. This lack of encryption makes DNS a privacy vulnerability.

DoH, however, encrypts these DNS queries by using HTTPS, the same encryption used by websites that implement SSL/TLS certificates. This not only secures the communication channel but also hides DNS traffic from potential eavesdroppers. By sending DNS requests over HTTPS, DoH provides an added layer of privacy, ensuring that the domain queries are not easily intercepted, manipulated, or analyzed.

How DNS Over HTTPS (DoH) Works

The process of DoH can be broken down into the following steps:

  • The user’s device sends a DNS request to a DoH server via HTTPS, usually to a provider like Google or Amazon Route 53.
  • The DoH server receives the request over a secure HTTPS connection.
  • The server processes the DNS request and responds with the appropriate IP address.
  • The response is returned to the user’s device, encrypted and secure.

Advantages of DNS Over HTTPS (DoH)

  1. Improved Privacy and Security: The primary advantage of DoH is the encryption of DNS queries, which protects users from eavesdropping. Since the DNS request is encrypted, attackers cannot easily monitor or track the websites you visit. This reduces the risk of man-in-the-middle (MITM) attacks, where attackers could intercept and tamper with DNS queries.
  2. Prevents DNS Spoofing and Poisoning: Traditional DNS is susceptible to attacks like DNS spoofing (or cache poisoning), where attackers can manipulate DNS records to redirect traffic to malicious websites. DoH uses HTTPS, which includes a certificate validation process, making it harder for attackers to inject false DNS records.
  3. Bypass Network Restrictions: In some regions or networks, DNS requests can be monitored or blocked to prevent access to certain websites. Since DoH uses the HTTPS protocol, which is commonly allowed and not easily blocked by firewalls, users can bypass network restrictions and access content that might otherwise be censored.
  4. Hiding DNS Queries from ISPs: ISPs typically monitor DNS queries to gather data about their users’ browsing habits. By using DoH, users can prevent ISPs from seeing the domains they are querying, providing greater privacy. It also limits the amount of data that ISPs can use for targeted advertising or surveillance purposes.
  5. Faster DNS Resolution: In some cases, DoH can offer better DNS performance by providing faster resolution times. By using servers optimized for DoH, some users may experience quicker load times for websites, particularly if the DNS servers are closer or more reliable than the default ISP DNS.

Limitations of DNS Over HTTPS

While DoH has several advantages, it also comes with challenges and potential drawbacks that must be considered.

  1. Potential for Misuse by Malicious Actors: Since DoH encrypts DNS traffic, it can potentially hide malicious activity, such as illegal activities or malware communication with a command-and-control server. Security monitoring solutions that rely on inspecting DNS traffic could become less effective in detecting threats.
  2. Centralization of DNS Traffic: Since DoH relies on external providers, the centralization of DNS traffic could lead to concerns over privacy and control. If too many users rely on a few DoH providers, these companies would have access to large amounts of internet traffic data. This raises concerns over privacy, especially if data is logged or sold to third parties.
  3. Compatibility Issues: While DoH is supported by most modern browsers and devices, not all DNS servers and routers support DoH. This means that businesses or users with specific network configurations may face compatibility issues. Additionally, some enterprises or network administrators may not want to rely on third-party DNS services, as it could undermine their ability to monitor and control internal networks.
  4. Complexity for Network Administrators: Implementing DoH can complicate network configurations, particularly for businesses and organizations. DoH bypasses traditional DNS filtering systems, which means network administrators may lose some level of control over DNS queries within their network. This could make it harder to enforce company policies, such as blocking harmful websites or enforcing secure DNS resolutions.
  5. Performance Concerns: Although DoH can provide faster resolution times in some cases, it requires the establishment of an HTTPS connection, which can slightly increase latency, especially if the DNS server is far away or the network connection is not optimal.

How to Enable DNS Over HTTPS

Enabling DoH is relatively simple for most users, particularly those using modern browsers or operating systems. Here’s how you can get started:

For Browsers

Google Chrome, Mozilla Firefox, and Microsoft Edge all support DoH natively. To enable DoH:

  • Google Chrome: Go to chrome://settings/security, and enable “Use secure DNS.”
  • Mozilla Firefox: Go to Options > General > Network Settings, and enable “DNS over HTTPS.”
  • Microsoft Edge: Go to Settings > Privacy, Search, and Services, and turn on DoH under the “Security” section.

For Operating Systems

  • On Windows, macOS, and Linux, DoH can be enabled at the system level. Users can configure their system’s DNS settings to point to a DoH-compatible resolver like Google’s 8.8.8.8, with DoH enabled.

Using Third-Party Services

  • Many third-party DNS providers like AWS Route 53 offer DoH support. By configuring your router or devices to use these services, you can ensure that DNS queries are encrypted and secure

 

Indusface
Indusface

Indusface is a leading application security SaaS company that secures critical Web, Mobile, and API applications of 5000+ global customers using its award-winning fully managed platform that integrates web application scanner, web application firewall, DDoS & BOT Mitigation, CDN, and threat intelligence engine.

Related Posts