DNS over HTTPS

The Domain Name System (DNS) is a proven solution. Users only need to enter a re­cog­nis­able web address into their browser, and the system finds the cor­res­pond­ing IP address within a short period of time. To do this, various name servers are accessed which store the numerical address that cor­res­ponds to the URL. Although it is still fully func­tion­al in principle, the DNS is somewhat dated. Developed several decades ago, today’s security concerns had not yet arisen.

From today’s per­spect­ive, however, the DNS is not secure. Requests are generally trans­mit­ted un­en­cryp­ted and can be read by anyone. This means that a cy­ber­crim­in­al could use his own server to intercept a victim’s DNS re­l­at­ively easily. Called DNS hijacking, these attacks transfer users to websites that either release malware, phish for data, or annoy users with large amounts of ad­vert­ising. That’s why DNS over HTTPS (DoH) is being discussed among industry experts as a viable al­tern­at­ive. But could the protocol make the Internet more secure?

DoH makes it possible to achieve several ob­ject­ives including increased security. By running the DNS using the secure HTTPS protocol, the primary objective is to strengthen the user’s security and privacy. By using the encrypted HTTPS con­nec­tion, it should no longer be possible for third parties to influence or spy on the de­cryp­tion. A fraudster would thus be unable to view requested URLs or change them.

On the one hand, this strengthens the fight against cy­ber­crime and, on the other, makes it harder to censor the Internet. Some gov­ern­ments use DNS to block certain websites to restrict freedom of ex­pres­sion or impose local Internet reg­u­la­tions – for example, anti-por­no­graphy laws.

Some Internet providers (ISP) use DNS hijacking tech­no­logy on purpose to serve error messages if a user enters a web address that cannot be decrypted (because of a typo, for instance). Some ISPs intercept this and instead direct the user to their own website that ad­vert­ises their own or third-party products. This is neither illegal nor does it directly damage the user or their devices, but the re­dir­ec­tion could be perceived as dis­rupt­ive.

But changes to DNS would also improve its per­form­ance. The DNS protocol is no longer con­sidered to be very reliable. The Trans­mis­sion Control Protocol (TCP) in DoH reacts faster when data gets lost during trans­mis­sion.

Some name de­cryp­tions can be carried out directly from a user’s device. The cor­res­pond­ing in­form­a­tion is shown in the cache of the browser or the router. Everything that has to be trans­mit­ted online usually passes through a UDP con­nec­tion. This allows for a fast exchange of in­form­a­tion. However, UDP is neither secure nor reliable. Data packets are regularly lost when using the protocol because there are no mech­an­isms that guarantee the trans­mis­sion.

DoH, on the other hand, relies on HTTPS and, therefore, also on TCP – a protocol that is used much more fre­quently on the Internet. The ad­vant­ages include en­cryp­tion of con­nec­tions and the protocol ensures a guar­an­teed transfer of data.

With DNS over HTTPS, com­mu­nic­a­tion always takes place via Port 443, which is where the actual web traffic is trans­mit­ted (e.g. accessing websites). Therefore, an outsider cannot dif­fer­en­ti­ate between DNS requests and other com­mu­nic­a­tions. This in­tro­duces an ad­di­tion­al level of user privacy.

The ad­vant­ages of the new system are obvious. The tech­no­logy improves security and user privacy. Compared to classic DNS, DoH provides en­cryp­tion. However, DNS over HTTPS is neither com­pletely safe nor com­pletely private. As before, all in­form­a­tion can still be viewed on the name servers where the name de­cryp­tion takes place and a number of servers also learn who is re­quest­ing what in­form­a­tion. Therefore, DNS par­ti­cipants must be trusted with the new tech­no­logy.

However, DNS over HTTPS shifts re­spons­ib­il­it­ies here. Internet providers’ servers typically oversee a large part of the name de­cryp­tion. With DoH, on the other hand, browser de­velopers can now decide which servers they want to forward their DNS queries to. In Chrome, this is done using Google’s own DNS server. Mozilla already uses Cloud­flare for Firefox. Whilst this raises the question of whether users should trust these companies more than the ISP, it also means that just a handful of providers are in charge.

DoH critics believe that net neut­ral­ity is at risk with the DoH. They fear that Google could, for example, answer queries about the company’s own services faster than DNS queries about other websites. By con­cen­trat­ing on a handful of providers, DoH servers also pose a security risk because this would make it much easier for attackers to paralyse the entire DNS.

In addition to DNS over HTTPS, another tech­no­logy for securing the domain name system is currently being discussed: DNS over TLS (DoT). The two protocols appear similar at first because both promise greater user security and privacy. But the tech­no­lo­gies differ in a few points, including the com­mit­ment they’ve attracted from different interest groups. While DNS over HTTPS is primarily based on Mozilla, Google, and providers of private DoH servers, DoT is promoted by the Internet En­gin­eer­ing Task Force (IETF).

On a technical level, DoT differs from its com­pet­it­ors in that it es­tab­lishes a TLS tunnel instead of an HTTPS con­nec­tion. It also uses a different port. As mentioned above, while DoH runs via Port 443, com­mu­nic­a­tion with the DNS via TLS takes place via the separate Port 853.