Misconceptions about DNS over HTTPS

A new internet protocol is making headlines globally: DNS over HTTPS. Even though this is of significant interest, especially for organizations but regular users will also be impacted by it as well. Here’s what all the fuss is about the new DoH protocol.

The new DNS over HTTPS protocol is still new in the world of network connections as it emerged about two years ago. DNS, also known as Domain Name System, is the internet-wide service that translates fully qualified hostnames (FQDNs) into an IP address. DNS was developed because it’s much easier to remember a domain name than an IP address.

Does DNS over HTTPS even make sense? Could you also deploy DoH when most of the name servers out there don’t encrypt their DNS responses?


What is DNS? And How does it work?

When a web user attempts to access a website or online service, their machine sends a DNS request out over the internet. DNS works as a sort of digital telephone/ address book, connecting users with the content and services provided by other connected machines around the world and making it a giant network of authoritative DNS servers and resolvers all working together to make out digital lives more comfortable.

Using DNS filtering for security, DNS requests are passed through a trusted DNS resolver. The resolver checks the domain against a URL database for categorizing information. These categories will inform DNS filtering solution as to what type of content the domain contains and whether it is safe or objectionable or malicious or shady websites. DNS filtering is often used for parental controls and web filtering to prevent users from accessing objectionable content. Following key points represent how DNS works:

  1. Your system browser sends a request to a recursive domain name server (DNS) that is configured on your computer.
  2. Since the domain name does not know the IP address you want to visit.
  3. Next, the domain asks the TLD name server for the name servers of the website you want to visit.
  4. The DNS then asks the website server for the IP address of the FQDN. Once the server gets the response, it forwards it to the web browser.
  5. The web browser connects to this IP address and requests the website.


Whenever you type a URL into your browser, this information is sent to a domain name system (DNS) provider that converts the request into a unique numerical ‘IP address’ that identifies websites on the internet. Your browser uses the IP address to take you to the site you requested. Unfortunately, now the requests from your browser to the DNS provider are not encrypted nor authenticated, especially when you’re are connected to public WiFi at an airport, cafe, or restaurant. As anyone using the network can see and track websites, you visit and can redirect your browser to a malicious website.

Now, even if users are visiting a site using HTTPS, their DNS query is sent over an unencrypted connection like anyone listening to packets on the networks knows which website an internet user is attempting to visit. There is a lot of old DNS infrastructure that doesn’t support encryption. Turns out to be, it’s not really necessary to update everything added support for DNS over HTTPS.

The technical aspects described in the latest Internet-Draft and implemented in real-world applications. The user sends a DNS query via an encrypted HTTP request. The current lack of encryption when browsers request DNS providers to track the sites you visit or maliciously redirect you to another page. Chrome and other browser solutions involve secure DNS connections with DNS over HTTPS. Chrome checks to see if the user’s DNS provider is among a list of participating DoH (DNS over HTTPS)– compliant providers to enable DoH. Another concern has been how encrypted DNS in Chrome will disrupt parental controls offered by IPs blocking malicious sites.

The innovation brought on by the DNS over HTTPS protocol is that the encryption is used for built-in application HTTPS standards, helping to achieve an unprecedented default level of privacy and data protection. Man-in-the-middle attacks are more or less useless if DNS over HTTPS is enabled. The third-party observers cannot sense the data due to DNS encryption. If the data is not encrypted, it is easy for the third-party actor-observer to see what domains you are trying to access.

When DoH is active, the data is encrypted and hidden within the HTTPS data that passes through the network. Therefore, there is no comparison between DNS over HTTPS and DNS over HTTP. DoH is a superior protocol, and it’s only a matter of time until everyone adopts it one way or another.

02 07

How Chrome and Mozilla will include DNS over HTTPS?

Chrome team is experimenting with the new DoH protocol only for limited users, helping them fix potential issues before deploying DoH for everyone. DNS over HTTPS protocol is being tested with the new Chrome 78 version of the browser that has not been launched yet. The only disadvantage od DoH is that it’s hard to configure manually in Chrome for the users at threat.

Mozilla has been working on the DNS over HTTPS implementation for a longer time than Chrome. Opting to implement DoH in your browser is easy for non-technical users, and the protocol settings have a much more developed interface.

Pros and Cons fo DNS over HTTPs:

  1. You can get to test out hoe DoH will integrate with your networks ahead of time and fix any potential issues encountered before DoH becomes the default.
  2. If implemented right, you can gain more data security and good privacy across your organization.
  3. You get to test the compatibility of DoH with the DNS traffic filter.
  4. Is your system admin is not experienced with DoH protocols; this can result in blocking queries and security flaws.
  5. If your DNS traffic filtering solution has not worked to integrate with DoH, it may render ineffectiveness.

DNS over HTTPS can pose challenges at first until everyone gets familiar with it. But once when DoH becomes the standard, the benefits will outweigh the difficulties it represents in the beginning. This was all about the new protocol fuss. If you are interested in learning more about day-to-day cyber threats, head towards the blog section for more information. This brings me back to the recent high-risk trojan malware- Raccoon Stealer. A new kind of trojan malware is fast gaining currency among the cybercriminals for the capability to steal sensitive information like – credit card data, cryptocurrency wallets, and email credentials. This new trojan malware is dubbed as Raccoon Stealer. In this article, we will be gaining knowledge about the high-risk trojan malware and how can it be avoided. To know more, visit here !!

Stay Updated. Stay Protected!

- Advertisement -

An Architect by profession & practice, Pranita is a keen observer and specialises in content, visualisation, and presentation. Cyber attacks & Architecture Technology in the far more technologically-advanced world made her realise that there is a lack of necessary awareness among people. Hence, keeping you all updated and protected by all means with subjects from Architecture Technology to Security Awareness.Currently working as a Head of Content, content writer & creator at BLARROW.TECH

- Advertisement -

Latest articles

Related articles