What is DNS-over-HTTPS and should you be using it?

(Image credit: Shutterstock / Askobol)
Audio player loading…

Throughout the history of the internet, traditional Domain Name System (opens in new tab) (DNS) traffic – for example, user requests to go to particular websites – has largely been unencrypted. This means that whenever you look a web address up in the “internet telephone book”, every party along the DNS value chain that your request takes is able to look into those queries and responses, or even to modify them. Encrypted DNS, for example using DNS over HTTPS (DoH), changes that.

A number of the big internet companies – like Apple, Mozilla, Microsoft, and Google – are in the process of implementing encrypted DNS through DoH into their services and applications. Mozilla was an early adopter, implementing DoH into its browser in the US as early as late 2018, whereas Apple is implementing it with the iOS 14 and macOS 11 updates in autumn 2020, and Google is in the process of rolling out DoH on Chrome for Android.

  • Check out our list of the best VPN (opens in new tab) services right now
  • Here's our list of the best web hosting services out there
  • We've built a list of the best proxy (opens in new tab) services around
About the authors

Patrick Koetter and Thomas Rickert represent eco - Association of the Internet Industry (opens in new tab)

The internet’s global telephone book

The Domain Name System (DNS) basically functions as the telephone book of the internet. If we think of the top-level domain (the far right part of a web address, like .com, .org, or .info) as equivalent to the country code or area code, the second-level (in the case of international.eco.de, this would be .eco.) as the corporate switchboard number, and the third-level (international) as the specific extension, it is possible to get a picture of how this directory is compiled, and how computers go about finding the service that they want to visit.

DNS resolvers are responsible for finding the internet resource (e.g. a website) that you have typed into your computer or phone. The first DNS resolver that your device is locally connected to is the home or office router, or a public hotspot. This resolver follows a series of steps, checking for any preconfigured setting on the device or a record of previous visits to the given website (called a cache). Failing this, the resolver will forward the DNS query to the next resolver up – for example, that of the internet service provider (ISP) you are connected to. This resolver will follow the same steps and finally, if all else fails, will proceed to looking the domain up in the “internet telephone book”.

What risks does DoH protect users against?

One objective pursued in the development of the DoH protocol was to increase user privacy and security by preventing eavesdropping and manipulation of DNS data. The encryption of DNS traffic protects you from the potential that a malicious actor can redirect you to a different (malicious) destination – for example, a fake bank website instead of the real one you wanted to go to. This kind of cyberattack (opens in new tab) is known as a Man-in-the-Middle (MITM) attack. Encrypting DNS through DoH (or the related DoT protocol) is the only realistic solution available today. The monetisation of DNS data, e.g. for marketing purposes, is a potential and realistic privacy issue that the developers of DoH also wanted to address.

Protecting users in public networks

When you are using a public wireless (Wi-Fi (opens in new tab)) network in hotels, coffee shops, etc., the DNS query data from your mobile may be used to analyse your behaviour and to track you across networks. Often these DNS services are part of an all-in-one globally-available Wi-Fi solution – these may be poorly adapted to comply with local privacy laws, and the privacy protecting configurations are potentially not enabled. Furthermore, free public Wi-Fi services, especially when operated or provided by smaller businesses, are often poorly managed in terms of security and performance, leaving you vulnerable to attacks from within their networks.

DoH protects users in these public wireless networks, as the DNS resolver of the Wi-Fi network is bypassed, preventing user tracking and manipulation of data at this level. Therefore, DoH offers an opportunity to protect communications in an untrusted environment.

What changes with DoH?

The DNS over HTTPS protocol in itself only changes the transport mechanism over which your device and the resolver communicate. The requests and the responses are encrypted using the well-known HTTPS protocol. Currently, given that not many DoH resolvers have been deployed yet, and that work is still being done on technically enabling DoH resolvers to be “discovered”, DNS requests using DoH usually bypass the local resolver and instead are processed by an external third-party DoH provider that has already been nominated by the respective software developer or manufacturer. More and more providers are in the process at the moment of deciding whether or not to offer their own DoH services.

Do I want DoH in my corporate network?

While DoH is a useful way of protecting yourself when you’re using a public hotspot, it may not be the preferred option for trusted network environments, such as corporate networks or internet access services acquired from an ISP that you trust. Your company, for example, may have legitimate reasons to disallow an application that ignores and overrides the system default – this could even be seen as potentially harmful, because the network administrator is unable to control it within the network.

Many of the concerns relating to corporate networks disappear if DoH is implemented on a system level rather than the application level. At the system level, for example, a corporate network administrator can configure the system and can create a policy that ensures that as long as the device is on the corporate network, the corporate resolver should be used – but the moment the device is on a public network, DoH should be used to improve security and privacy. However, if DoH is implemented as default on the application level, these different configurations are circumvented.

There are a number of other concerns about the use of external DNS resolution through DoH – ranging from potentially slow response times to the circumventing of parental controls and legally mandated blocking. But on balance, many of the potential downsides of DoH are counteracted by just as many advantages, depending on the context.

There’s no doubt about it: encrypting DNS improves user security and privacy. DoH can provide an easy way of doing this. But if you do activate DoH, make sure that you inform yourself about who will take care of the DoH resolution, how they handle your data, and whether you can easily turn it off when you need to.

Thomas Rickert, Attorney-at-law and owner of Rickert Rechtsanwaltsgesellschaft mbH, Bonn, Germany chairs the Names & Numbers Forum at eco – Association of the Internet Industry. He is one of three co-chairs of the ICANN CCWG-Accountability.