26.09.2019
Enabling DNS over HTTPS (DoH): Advantages and Best Practices
A new internet protocol is making headlines in the world of enterprise security: DNS over HTTPS. Even though this is of major interest especially for businesses and organizations, regular users will be impacted by it as well. Are you ready for this cybersecurity revolution yourself?
Here’s what all the fuss is about the new DoH protocol. If done right, the hype around it is well-deserved. Once it’s implemented well, DoH can make network communications much more secure.
The new DNS over HTTPS protocol is still relatively new in the world of network connections. First emerged about two years ago, the new protocol is mostly not implemented yet.
When it comes to browsers, Google seems to be the first to it. They recently announced they plan to roll out DNS over HTTPS in the near future.
This guide will tell you what this means and how you can implement DNS over HTTPS yourself, the changes to expect and so on.
What Is DNS over HTTPS (DoH) and How Does This Protocol Work?
First thing’s first, let’s clear up the basics. Not everyone understands exactly what DNS is and how it works, let alone the new DNS over HTTPS.
DNS definition:
DNS stands for Domain Name Server and it helps computer networks attach various information to each web domain.
To put it simply, all Domain Name Servers are basically the fundamental internet address book.
But while people can remember a domain name easily, computers need numbers to understand it. That’s why the DNS system ‘translates’ each domain name into an IP number and assigns this info, together with other details.
A DNS traffic filtering solution is a crucial security layer for businesses and consumers alike. We discussed elsewhere the importance of DNS traffic filtering and what cybercriminals can hope to get from infiltrating it.
Now that we defined DNS and DNS filtering, let’s move on to the new buzzword in cybersecurity news: DNS over HTTPS (DoH).
DNS over HTTPS (DoH) definition:
The new standard released by the IETF enables DNS protocol to be enabled over HTTPS connections (the more secure form of HTTP).
DNS over HTTPS (abbreviated as DoH) is an internet security protocol which communicates domain name server information in an encrypted way over HTTPS connections.
DNS over HTTPS vs. DNS over HTTP vs. DNS over TLS
A. DNS over HTTP vs DNS over HTTPS
Most networks are now still using DNS over HTTP communications, which makes them vulnerable to man-in-the-middle attacks if they are not protected by a traffic filtering solution. This is because this communication is sent in plain text.
The innovation brought on by the DNS over HTTPS protocol is that the communication is encrypted using built-in application HTTPS standards. This helps achieve an unprecedented default level of privacy and data protection since the encryption is (or should be) the golden standard.
Man-in-the-middle attacks (a common cybersecurity concern) are more or less useless if DNS over HTTPS is enabled. Since all DNS requests are encrypted, a 3rd party observer cannot make sense of the data they would gleam.
If that data is not encrypted (such as in the DNS over HTTP protocol), it is easy for a 3rd party malicious observer to see what domains you are trying to access. In contrast, when DoH is active, this data is encrypted and hidden within the enormous amount of HTTPS data which passes through the network.
Therefore, there is no comparison to be drawn between DNS over HTTPS (DoH) and DNS over HTTP. DoH is clearly the superior protocol. It’s only a matter of time until everyone adopts it one way or another, and the road may indeed be difficult for a time.
B. DNS over HTTPS vs. DNS over TLS
I think we’ve cleared up by now what is DNS over HTTPS (DoH).
DNS over TLS (or DoT) is regarded by some as being more or less the same thing with DoH, but this is not accurate. It’s true that both types of protocols achieve the same result: encrypting your DNS communications.
But each type of DNS protocol uses a different port for this encryption they make and the focus of each. The DoH encryption allows, theoretically, network admins to view the encrypted DNS traffic should an issue arise, while the DoT encryption can protect data even from admins.
The fans of DoT protocols state that this DNS over TLS standard is a better fit for human rights concerns in problematic countries. At the same time, in countries where freedom of speech may be limited, the only effect of enabling DoT encryption may be that it draws attention. In other words, authoritarian regimes may look unfavorably upon those who adopt DoT instead of the more mainstream DoH.
Other than that, there is also the technical difference of the port used. DNS over TLS has its own dedicated TLS port, Port 853. DNS over HTTPS uses a different one, Port 443. This internet port (Port 443) is the current standard for all HTTPS communications, so it makes sense that DoH uses it too.
How Chrome and Mozilla Are Going to Implement DNS over HTTPS (DoH).
Both Google Chrome and Mozilla have announced that they plan to include DNS over HTTPS by default in future builds.
A. How Chrome will include DNS over HTTPS:
For now, the Chrome team is experimenting with the new DoH protocol only for a limited number of users. This trial period will help them fix any potential issues and figure out how to then deploy DoH for everyone.
The DNS over HTTPS protocol will be tested starting with the new Chrome 78 version of the browser, which is not launched yet. You can also opt into this experiment if you’d like to be part of the users who get DoH in advance.
You can access the Chrome flag chrome://flags/#dns-over-http in order to activate or deactivate the DNS over HTTPS experiment, once Chrome 78 is live.
The only downside to this is that DoH is still relatively hard to configure manually in Chrome, for inexperienced users at least.
B. How Mozilla will include DNS over HTTPS:
To their credit, Mozilla has been working on DNS over HTTPS implementation for a longer time than Chrome, and it shows. As of now, opting to implement DoH in your browser is easy even for non-technical users, and the protocol settings have a much more developed interface.
For now, it’s an opt-in, as mentioned above, but Mozilla has announced that they plan to make DoH a default in future browser versions as well.
How DNS Traffic Filtering Solutions Need to Adapt to HTTPS
As most organizations are already aware, a DNS traffic filtering solution is a crucial layer of their cybersecurity environment. But while most organizations are already using a DNS traffic filter, the dilemma brought on by DoH is that compatibility issues may arise once browsers start using DoH by default.
In laymen’s terms, here’s what can be problematic. DNS traffic filtering solutions are using the settings built-in Operating Systems in order to perform DNS queries. But if the browser (whether it be Chrome or Mozilla) will no longer use the standard DNS port (53) for queries and instead switch to the DoH one (443), the traffic filtering solution will lose sight of those queries.
While DoH indeed brings more privacy by default, it should not be confused with compliance, nor with security. Companies should still be warned that DoH is not enough for security.
On the downside, when the DNS queries from the browser are wrong (or intentionally misled by malicious 3rd parties), the DNS traffic filter might have trouble catching on. Also, DNS over HTTPS protocols might be used to display the ads which would have otherwise been blocked (since these solutions circumvent filters).
This is why when choosing a DNS traffic filter provider, you need to make sure that they support DNS over HTTPS correctly. Our Thor Foresight Enterprise solution is currently developing a solid integration of DoH.
How to Implement DNS over HTTPS Correctly in Your Organization
Since for the first time the DNS over HTTPS protocol makes the DNS traffic communications encrypted, this can bring about more privacy and better security for users and organizations.
But because the DoH protocol is still new, some organizations are anxious about adopting it, due to compatibility and implementation issues. Here’s what you need to know in order to ensure a smooth transition to DNS over HTTPS.
Pros to Early Adoption of DNS over HTTPS (DoH):
- You get to test out how DoH will integrate with your networks ahead of time and fix any potential issues before the DoH protocol becomes default;
- If implemented right, you can gain more data security and better privacy across your organization;
- You get to test out the compatibility of DNS over HTTPS with your DNS traffic filter;
- Your feedback may help all software parties involved better their products, to your benefit.
- If your system admin(s) are not experienced with DoH and similar security protocols, this can end up in blocked queries, false-positive security flags and so on;
- If your DNS traffic filtering solution has not worked to integrate with DoH, this can render it ineffective;
For the moment, our Thor Foresight Enterprise product (which includes DarkLayer Guard, a market-leading DNS traffic filtering solution) circumvents the DNS over HTTPS which will be implemented by browsers.
While we still use the DNS settings from the operating system, we supplement the queries from the browser. Since the DoH protocol is still under tests in browsers, whenever DNS servers will have a fallback, their system will proceed to query the OS settings, which is where our solution comes in.
On the long(er) run, we are working to fully integrate the DoH protocol with DarkLayer Guard in a way which will help every party involved develop stronger cybersecurity and cyber resilience.
Wrapping up
Like any IT innovation, DNS over HTTPS can pose a few challenges at first, until everyone gets aligned with it. But once DoH becomes the standard, the benefits of it will greatly outweigh the difficulties it poses in the beginning.