DNS over HTTPS (DoH): Definition, Implementation, Benefits, and More
How will the new DNS over HTTPS (DoH) protocol work? Advantages of DoH and how to implement it smoothly.
A new internet protocol is making headlines in the world of enterprise security: DNS over HTTPS. Even though this is of major interest especially for businesses and organizations, regular users will be impacted by it as well. Are you ready for this cybersecurity revolution yourself?
Here’s what all the fuss is about the new DoH protocol. If done right, the hype around it is well-deserved. Once it’s implemented well, DoH can make network communications much more secure. This guide will tell you what this means and how you can implement DNS over HTTPS yourself, the changes to expect, and so on.
What is DNS over HTTPS (DoH)?
DNS over HTTPS (abbreviated as DoH) is an internet security protocol that communicates domain name server information in an encrypted way over HTTPS connections.
The new standard released by the IETF enables DNS protocol to be enabled over HTTPS connections (the more secure form of HTTP).
The route of a DNS query when DoH is enabled.
To better understand what DNS over HTTPS implies, it is also essential to know what the DNS is. For your convenience, I have included a definition and some additional clarifications in the section below.
DNS stands for Domain Name Server and it helps computer networks attach various information to each web domain. To put it simply, all Domain Name Servers are basically the fundamental internet address book.
But while people can remember a domain name easily, computers need numbers to understand it. That’s why the DNS system ‘translates’ each domain name into an IP number and assigns this info, together with other details.
A DNS traffic filtering solution is a crucial security layer for businesses and consumers alike. We discussed elsewhere the importance of DNS traffic filtering and what cybercriminals can hope to get from infiltrating it.
1. Standard DNS vs. DNS over HTTPS (DoH)
Unfortunately, networks using standard DNS communications are vulnerable to man-in-the-middle attacks if they are not protected by a traffic filtering solution. This is because this communication is sent in plain text.
The innovation brought on by the DNS over HTTPS protocol is that the communication is encrypted using built-in application HTTPS standards. This helps achieve an unprecedented default level of privacy and data protection since the encryption is (or should be) the golden standard.
Man-in-the-middle attacks (a common cybersecurity concern) are more or less useless if DNS over HTTPS is enabled. Since all DNS requests are encrypted, a 3rd party observer cannot make sense of the data they would gleam.
If that data is not encrypted (such as in the DNS over HTTP protocol), it is easy for a 3rd party malicious observer to see what domains you are trying to access. In contrast, when DoH is active, this data is encrypted and hidden within the enormous amount of HTTPS data that passes through the network.
Therefore, there is no comparison to be drawn between DNS over HTTPS (DoH) and DNS over HTTP. DoH is clearly the superior protocol. It’s only a matter of time until everyone adopts it one way or another, and the road may indeed be difficult for a time.
2. DNS over HTTPS (DoH) vs. DNS over TLS (DoT)
DNS over TLS (or DoT) is regarded by some as being more or less the same thing with DoH, but this is not accurate. Both types of protocols indeed achieve the same result: encrypting your DNS communications.
But each type of DNS protocol uses a different port for this encryption they make and the focus of each. The DoH encryption allows, theoretically, network admins to view the encrypted DNS traffic should an issue arise, while the DoT encryption can protect data even from admins.
The fans of DoT protocols state that this DNS over TLS standard is a better fit for human rights concerns in problematic countries. At the same time, in countries where freedom of speech may be limited, the only effect of enabling DoT encryption may be that it draws attention. In other words, authoritarian regimes may look unfavorably upon those who adopt DoT instead of the more mainstream DoH.
Other than that, there is also the technical difference of the port used. DNS over TLS has its own dedicated TLS port, Port 853. DNS over HTTPS uses a different one, Port 443. This internet port (Port 443) is the current standard for all HTTPS communications, so it makes sense that DoH uses it too.
How Chrome and Mozilla Are Implementing DNS over HTTPS (DoH)
Both Google Chrome and Mozilla have announced that they plan to include DNS over HTTPS by default in future builds.
For now, the Chrome team is experimenting with the new DoH protocol only for a limited number of users. This trial period will help them fix any potential issues and figure out how to then deploy DoH for everyone.
The DNS over HTTPS protocol will be tested starting with the new Chrome 78 version of the browser, which is not launched yet. You can also opt into this experiment if you’d like to be part of the users who get DoH in advance.
You can access the Chrome flag chrome://flags/#dns-over-http to activate or deactivate the DNS over HTTPS experiment, once Chrome 78 is live.
The only downside to this is that DoH is still relatively hard to configure manually in Chrome, for inexperienced users at least.
To their credit, Mozilla has been working on DNS over HTTPS implementation for a longer time than Chrome, and it shows. As of now, opting to implement DoH in your browser is easy even for non-technical users, and the protocol settings have a much more developed interface.
For now, it’s an opt-in, as mentioned above, but Mozilla has announced that they plan to make DoH a default in future browser versions as well.
How to Enable DNS over HTTPS in Windows 10
Enabling DNS over HTTPS in Windows 10 is a simple way to implement this functionality for all users and applications making DNS queries, including web browsers. This means that you won’t have to wait around for Chrome and Mozilla to integrate the feature or activate it separately.
Nevertheless, keep in mind that Windows 10 should be up to date on your endpoints to ensure the DNS over HTTPS feature is available. For enabling via Settings, this means Build 20185 or higher, while for the registry edit option you need to have Build 19628 or higher.
Enabling DNS over HTTPS via Windows 10 Settings
For Windows 10 Build 20185 or higher, you need to go to the Settings > Network & Internet menu on your machine. There are a few steps to follow for this:
- Open Settings.
- Search for the Network status menu and open it.
- Select the desired Internet connection and open Properties.
- Under IP settings, click Edit.
- Choose the Manual selection, then toggle IPv4 on.
- Specify IP addresses for Preferred DNS and Alternate DNS.
- Windows 10 currently supports three DNS over HTTPS providers:
- Google – Primary IP: 220.127.116.11, Alternate IP: 18.104.22.168
- Cloudflare – Primary IP: 22.214.171.124, Alternate IP: 126.96.36.199
- Quad9 – Primary IP: 188.8.131.52, Alternate IP: 184.108.40.206
- Select Encrypted only for encryption under both Preferred DNS and Alternate DNS.
- Follow the same steps to configure IPv6 as well.
Edit IP settings menu in Windows 10.
Enabling DNS over HTTPS in the Windows 10 Registry
For Windows 10 Build 19628 or higher, you need to open the Registry Editor on your machine and make the necessary DoH changes there. There are a few steps to follow for this:
- Open Registry Editor.
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters.
- Create a DWORD named “EnableAutoDoh” with a value of 2.
- Reboot the machine.
Registry Editor path for DoH enabling in Windows 10.
After the endpoint restarts, you’ll need to change the Preferred DNS and Alternate DNS addresses on it to one of the three I listed below, namely Google, Cloudflare, or Quad9. These are the only DNS over HTTPS options supported by Windows 10 at the moment.
Go under your network adapter’s Internet Protocol Version 4 (TCP/IPv4) and change the existing entries with one of the three. Do the same for IPv6 if necessary.
How DNS Traffic Filtering Solutions Need to Adapt to HTTPS
As most organizations are already aware, a DNS traffic filtering solution is crucial for their cybersecurity environment. But while most organizations are already using a DNS traffic filter, the dilemma brought on by DoH is that compatibility issues may arise once browsers start using DoH by default.
In laymen’s terms, here’s what can be problematic. DNS traffic filtering solutions are using the settings built-in Operating Systems to perform DNS queries. But if the browser (whether it be Chrome or Mozilla) will no longer use the standard DNS port (53) for queries and instead switch to the DoH one (443), the traffic filtering solution will lose sight of those queries.
While DoH indeed brings more privacy by default, it should not be confused with compliance or security. Companies should still be warned that DoH is not enough for security.
On the downside, when the DNS queries from the browser are wrong (or intentionally misled by malicious 3rd parties), the DNS traffic filter might have trouble catching on. Also, DNS over HTTPS protocols might be used to display the ads which would have otherwise been blocked (since these solutions circumvent filters).
This is why when choosing a DNS traffic filter provider, you need to make sure that they support DNS over HTTPS correctly. Our Heimdal™ Threat Prevention solution is currently developing a solid integration of DoH.
DNS over HTTPS Benefits
Since for the first time the DNS over HTTPS protocol makes the DNS traffic communications encrypted, this can bring about more privacy and better security for users and organizations.
But because the DoH protocol is still new, some organizations are anxious about adopting it, due to compatibility and implementation issues. If these are your concerns as well, here are the benefits of transitioning to the DNS over HTTPS model.
- You get to test out how DoH will integrate with your networks ahead of time and fix any potential issues before the DoH protocol becomes default;
- If implemented right, you can gain more data security and better privacy across your organization;
- You get to test out the compatibility of DNS over HTTPS with your DNS traffic filter;
- Your feedback may help all software parties involved better their products, to your benefit.
DNS over HTTPS Limitations
- If your system admin(s) are not experienced with DoH and similar security protocols, this can end up in blocked queries, false-positive security flags, and so on;
- If your DNS traffic filtering solution has not worked to integrate with DoH, this can render it ineffective;
How We Cover DoH within Heimdal™ Threat Prevention
For the moment, our Heimdal™ Threat Prevention product (which includes DarkLayer Guard, a market-leading DNS traffic filtering solution) circumvents the DNS over HTTPS which will be implemented by browsers.
While we still use the DNS settings from the operating system, we supplement the queries from the browser. Since the DoH protocol is still under test in browsers, whenever DNS servers will have a fallback, their system will proceed to query the OS settings, which is where our solution comes in.
In the long(er) run, we are working to fully integrate the DoH protocol with DarkLayer Guard in a way that will help every party involved develop stronger cybersecurity and cyber resilience.
Heimdal™ Threat Prevention
Like any IT innovation, DNS over HTTPS can pose a few challenges at first, until everyone gets aligned with it. But once DoH becomes the standard, its benefits will greatly outweigh the difficulties it poses in the beginning.