What is DNS-over-HTTPS and should you be using it?

A padlock against a black computer screen.
(Image credit: Pixabay)

Throughout the history of the internet, traditional Domain Name System (DNS) traffic – for example, user requests to go to particular websites – has largely been unencrypted.

This means that whenever you look a web address up in the “internet telephone book”, every party along the DNS value chain that your request takes is able to look into those queries and responses, or even to modify them. Encrypted DNS, for example using DNS over HTTPS (DoH), changes that.

A number of the big internet companies – think Apple, Mozilla, Microsoft, and Google – have implemented encrypted DNS through DoH into their services and applications. Mozilla was an early adopter, implementing DoH into its browser in the US as far back as late 2018, whereas Apple implemented it with the iOS 14 and macOS 11 updates in the autumn of 2020. Google has also rolled out DoH on Chrome for Android.

The internet’s global telephone book

In essence, the Domain Name System (DNS) functions like the telephone book of the internet. Think of it a little like this and the way DNS works soon starts to make sense.

The top-level domain (the far right part of a web address, like .com, .org, or .info) is therefore the equivalent to the country code or area code, the second-level (in the case of international.eco.de, this would be .eco.) is the corporate switchboard number. Meanwhile, the third-level (international) is the specific extension.

Working with that in your mind, it’s much easier to get a clearer picture of how this directory is compiled. You can also understand how computers go about finding the service that they want to visit, thereby getting you connected to your chosen web destination.

DNS resolvers are responsible for finding the internet resource (in other words, a website) that you have typed into your computer or phone. The first DNS resolver that your device is locally connected to is the home or office router, or a public hotspot.

This resolver follows a series of steps, checking for any preconfigured setting on the device or a record of previous visits to the given website (called a cache). Failing this, the resolver will forward the DNS query to the next resolver up – for example, that of the internet service provider (ISP) you are connected to. This resolver will follow the same steps and finally, if all else fails, will proceed to looking the domain up in the “internet telephone book”.

What risks does DoH protect users against?

One objective pursued in the development of the DoH protocol was to increase user privacy and security by preventing eavesdropping and manipulation of DNS data.

The encryption of DNS traffic protects you from the potential that a malicious actor can redirect you to a different (malicious) destination. For example, it could be a fake bank website instead of the real one you wanted to go to, or a variation on that theme.

This kind of cyberattack is known as a Man-in-the-Middle (MITM) attack. Encrypting DNS through DoH (or the related DoT protocol) is the only realistic solution available today. Something else that DoH has also managed to address is the monetization of DNS data – when it’s used for marketing purposes as an example, which is a potential and realistic privacy issue that should be of interest to everybody.

Protecting users in public networks

When you are using a public wireless (Wi-Fi) network in hotels, coffee shops and so on, the DNS query data from your mobile may be used to analyze your behavior and to track you across networks.

Often these DNS services are part of an all-in-one globally-available Wi-Fi solution – but the reality is these may be poorly adapted to comply with local privacy laws. What’s more, the privacy protecting configurations are potentially not enabled either.

On top of that, free public Wi-Fi services, especially when they are operated or provided by smaller businesses, are often poorly managed in terms of security and performance. This has the distinct potential of leaving you vulnerable to attacks from within their networks.

The good news is that DoH protects users in these public wireless networks, as the DNS resolver of the Wi-Fi network is bypassed. This subsequently prevents user tracking and manipulation of data at this level. What that ultimately means is that DoH offers an opportunity to protect communications in an untrusted environment. It’s a great and wholly practical solution.

What changes with DoH?

The DNS over HTTPS protocol in itself only changes the transport mechanism over which your device and the resolver communicate. The requests and the responses are encrypted using the well-known HTTPS protocol. Currently, given that not many DoH resolvers have been deployed yet, and that work is still being done on technically enabling DoH resolvers to be “discovered”, DNS requests using DoH usually bypass the local resolver.

Instead, they are processed by an external third-party DoH provider, which has already been nominated by the respective software developer or manufacturer. More and more providers are in the process at the moment of deciding whether or not to offer their own DoH services.

Do I want DoH in my corporate network?

While there’s no doubt that DoH is a useful way of protecting yourself, especially when you’re using a public hotspot, it may not be the preferred option for trusted network environments. A good example of this is with corporate networks, or where you gain internet access services acquired from an ISP that you trust.

Your company, for example, may have legitimate reasons to disallow an application that ignores and overrides the system default. This could even be seen as potentially harmful, because the network administrator is unable to control it within the network.

Many of the concerns relating to corporate networks disappear if DoH is implemented on a system level rather than the application level. At the system level, for example, a corporate network administrator can configure the system and can create a policy that ensures that, just as long as the device is on the corporate network, the corporate resolver should be used.

But, the moment the device is on a public network, DoH should be used to improve security and privacy. However, if DoH is implemented as default on the application level, these different configurations are circumvented.

Reasons for concern

There are a number of other concerns about the use of external DNS resolution through DoH – ranging from potentially slow response times through to the circumventing of parental controls and legally mandated blocking. Nevertheless, on balance, many of the potential downsides of DoH are counteracted by just as many advantages, depending on the context.

There’s no doubt about it: encrypting DNS improves user security and privacy. DoH can provide an easy way of doing this. However, if you do activate DoH, you’ll want to make sure that you inform yourself about who will take care of the DoH resolution, how they handle your data, and whether you can easily turn it off when you need to.

Protect your privacy online with the best VPN services.

Jonas P. DeMuro

Jonas P. DeMuro is a freelance reviewer covering wireless networking hardware.