HEAD OF COMMUNICATION AND PR

A new internet protocol is making headlines in the world of enterprise security: DNS over HTTPS. Even though this is of major interest especially for businesses and organizations, regular users will be impacted by it as well. Are you ready for this cybersecurity revolution yourself?

Here’s what all the fuss is about the new DoH protocol. If done right, the hype around it is well-deserved. Once it’s implemented well, DoH can make network communications much more secure. This guide will tell you what this means and how you can implement DNS over HTTPS yourself, the changes to expect, and so on.

What is DNS over HTTPS (DoH)?

DNS over HTTPS (abbreviated as DoH) is an internet security protocol that communicates domain name server information in an encrypted way over HTTPS connections.

The new standard released by the IETF enables DNS protocol to be enabled over HTTPS connections (the more secure form of HTTP).

DNS over HTTPS scheme

The route of a DNS query when DoH is enabled.

To better understand what DNS over HTTPS implies, it is also essential to know what the DNS is. For your convenience, I have included a definition and some additional clarifications in the section below.

DNS Definition

DNS stands for Domain Name Server and it helps computer networks attach various information to each web domain. To put it simply, all Domain Name Servers are basically the fundamental internet address book.

But while people can remember a domain name easily, computers need numbers to understand it. That’s why the DNS system ‘translates’ each domain name into an IP number and assigns this info, together with other details.

A DNS traffic filtering solution is a crucial security layer for businesses and consumers alike. We discussed elsewhere the importance of DNS traffic filtering and what cybercriminals can hope to get from infiltrating it.

 

1.  Standard DNS vs. DNS over HTTPS (DoH)

Unfortunately, networks using standard DNS communications are vulnerable to man-in-the-middle attacks if they are not protected by a traffic filtering solution. This is because this communication is sent in plain text.

The innovation brought on by the DNS over HTTPS protocol is that the communication is encrypted using built-in application HTTPS standards. This helps achieve an unprecedented default level of privacy and data protection since the encryption is (or should be) the golden standard.

Man-in-the-middle attacks (a common cybersecurity concern) are more or less useless if DNS over HTTPS is enabled. Since all DNS requests are encrypted, a 3rd party observer cannot make sense of the data they would gleam.

If that data is not encrypted (such as in the DNS over HTTP protocol), it is easy for a 3rd party malicious observer to see what domains you are trying to access. In contrast, when DoH is active, this data is encrypted and hidden within the enormous amount of HTTPS data that passes through the network.

Therefore, there is no comparison to be drawn between DNS over HTTPS (DoH) and DNS over HTTP. DoH is clearly the superior protocol. It’s only a matter of time until everyone adopts it one way or another, and the road may indeed be difficult for a time.

 

2. DNS over HTTPS (DoH) vs. DNS over TLS (DoT)

DNS over TLS (or DoT) is regarded by some as being more or less the same thing with DoH, but this is not accurate. Both types of protocols indeed achieve the same result: encrypting your DNS communications.

But each type of DNS protocol uses a different port for this encryption they make and the focus of each. The DoH encryption allows, theoretically, network admins to view the encrypted DNS traffic should an issue arise, while the DoT encryption can protect data even from admins.

The fans of DoT protocols state that this DNS over TLS standard is a better fit for human rights concerns in problematic countries. At the same time, in countries where freedom of speech may be limited, the only effect of enabling DoT encryption may be that it draws attention. In other words, authoritarian regimes may look unfavorably upon those who adopt DoT instead of the more mainstream DoH.

Other than that, there is also the technical difference of the port used. DNS over TLS has its own dedicated TLS port, Port 853. DNS over HTTPS uses a different one, Port 443. This internet port (Port 443) is the current standard for all HTTPS communications, so it makes sense that DoH uses it too.

How Chrome and Mozilla Are Implementing DNS over HTTPS (DoH)

Both Google Chrome and Mozilla have announced that they plan to include DNS over HTTPS by default in future builds.

Chrome

For now, the Chrome team is experimenting with the new DoH protocol only for a limited number of users. This trial period will help them fix any potential issues and figure out how to then deploy DoH for everyone.

The DNS over HTTPS protocol will be tested starting with the new Chrome 78 version of the browser, which is not launched yet. You can also opt into this experiment if you’d like to be part of the users who get DoH in advance.

You can access the Chrome flag chrome://flags/#dns-over-http to activate or deactivate the DNS over HTTPS experiment, once Chrome 78 is live.

The only downside to this is that DoH is still relatively hard to configure manually in Chrome, for inexperienced users at least.

Mozilla

To their credit, Mozilla has been working on DNS over HTTPS implementation for a longer time than Chrome, and it shows. As of now, opting to implement DoH in your browser is easy even for non-technical users, and the protocol settings have a much more developed interface.

For now, it’s an opt-in, as mentioned above, but Mozilla has announced that they plan to make DoH a default in future browser versions as well.

How to Enable DNS over HTTPS in Windows 10

Enabling DNS over HTTPS in Windows 10 is a simple way to implement this functionality for all users and applications making DNS queries, including web browsers. This means that you won’t have to wait around for Chrome and Mozilla to integrate the feature or activate it separately.

Nevertheless, keep in mind that Windows 10 should be up to date on your endpoints to ensure the DNS over HTTPS feature is available. For enabling via Settings, this means Build 20185 or higher, while for the registry edit option you need to have Build 19628 or higher.

Enabling DNS over HTTPS via Windows 10 Settings

For Windows 10 Build 20185 or higher, you need to go to the Settings > Network & Internet menu on your machine. There are a few steps to follow for this:

  • Open Settings.
  • Search for the Network status menu and open it.
  • Select the desired Internet connection and open Properties.
  • Under IP settings, click Edit.
  • Choose the Manual selection, then toggle IPv4 on.
  • Specify IP addresses for Preferred DNS and Alternate DNS.
  • Windows 10 currently supports three DNS over HTTPS providers:
    • Google – Primary IP: 8.8.8.8, Alternate IP: 8.8.4.4
    • Cloudflare – Primary IP: 1.1.1.1, Alternate IP: 1.0.0.1
    • Quad9 – Primary IP: 9.9.9.9, Alternate IP: 149.112.112.112
  • Select Encrypted only for encryption under both Preferred DNS and Alternate DNS.
  • Follow the same steps to configure IPv6 as well.

DNS over HTTPS Windows Settings

Edit IP settings menu in Windows 10.

Enabling DNS over HTTPS in the Windows 10 Registry

For Windows 10 Build 19628 or higher, you need to open the Registry Editor on your machine and make the necessary DoH changes there. There are a few steps to follow for this:

  • Open Registry Editor.
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters.
  • Create a DWORD named “EnableAutoDoh” with a value of 2.
  • Reboot the machine.

Registry Editor DNS over HTTPS

Registry Editor path for DoH enabling in Windows 10.

After the endpoint restarts, you’ll need to change the Preferred DNS and Alternate DNS addresses on it to one of the three I listed below, namely Google, Cloudflare, or Quad9. These are the only DNS over HTTPS options supported by Windows 10 at the moment.

Go under your network adapter’s Internet Protocol Version 4 (TCP/IPv4) and change the existing entries with one of the three. Do the same for IPv6 if necessary.

How DNS Traffic Filtering Solutions Need to Adapt to HTTPS

As most organizations are already aware, a DNS traffic filtering solution is crucial for their cybersecurity environment. But while most organizations are already using a DNS traffic filter, the dilemma brought on by DoH is that compatibility issues may arise once browsers start using DoH by default.

In laymen’s terms, here’s what can be problematic. DNS traffic filtering solutions are using the settings built-in Operating Systems to perform DNS queries. But if the browser (whether it be Chrome or Mozilla) will no longer use the standard DNS port (53) for queries and instead switch to the DoH one (443), the traffic filtering solution will lose sight of those queries.

While DoH indeed brings more privacy by default, it should not be confused with compliance or security. Companies should still be warned that DoH is not enough for security.

On the downside, when the DNS queries from the browser are wrong (or intentionally misled by malicious 3rd parties), the DNS traffic filter might have trouble catching on. Also, DNS over HTTPS protocols might be used to display the ads which would have otherwise been blocked (since these solutions circumvent filters).

This is why when choosing a DNS traffic filter provider, you need to make sure that they support DNS over HTTPS correctly. Our Heimdal™ Threat Prevention solution is currently developing a solid integration of DoH.

DNS over HTTPS Benefits

Since for the first time the DNS over HTTPS protocol makes the DNS traffic communications encrypted, this can bring about more privacy and better security for users and organizations.

But because the DoH protocol is still new, some organizations are anxious about adopting it, due to compatibility and implementation issues. If these are your concerns as well, here are the benefits of transitioning to the DNS over HTTPS model.

  • You get to test out how DoH will integrate with your networks ahead of time and fix any potential issues before the DoH protocol becomes default;
  • If implemented right, you can gain more data security and better privacy across your organization;
  • You get to test out the compatibility of DNS over HTTPS with your DNS traffic filter;
  • Your feedback may help all software parties involved better their products, to your benefit.

DNS over HTTPS Limitations

  • If your system admin(s) are not experienced with DoH and similar security protocols, this can end up in blocked queries, false-positive security flags, and so on;
  • If your DNS traffic filtering solution has not worked to integrate with DoH, this can render it ineffective;

How We Cover DoH within Heimdal™ Threat Prevention

For the moment, our Heimdal™ Threat Prevention product (which includes DarkLayer Guard, a market-leading DNS traffic filtering solution) circumvents the DNS over HTTPS which will be implemented by browsers.

While we still use the DNS settings from the operating system, we supplement the queries from the browser. Since the DoH protocol is still under test in browsers, whenever DNS servers will have a fallback, their system will proceed to query the OS settings, which is where our solution comes in.

In the long(er) run, we are working to fully integrate the DoH protocol with DarkLayer Guard in a way that will help every party involved develop stronger cybersecurity and cyber resilience.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal™ Threat Prevention - Endpoint

Is our next gen proactive shield that stops unknown threats before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Wrapping up

Like any IT innovation, DNS over HTTPS can pose a few challenges at first, until everyone gets aligned with it. But once DoH becomes the standard, its benefits will greatly outweigh the difficulties it poses in the beginning.

DNS Security 101: The Essentials You Need to Know to Keep Your Organization Safe

DNS over HTTPS (DoH) – A Possible Replacement for VPN?

Security Alert: MS Office Zero Day and DNS Vulnerabilities Can Impact Users

Comments

I feel like DoH gets more hype than deserved and it’s clear whoever wrote this article is contributing to that. The statement “Most networks are now still using DNS over HTTP communications, which makes them vulnerable to man-in-the-middle attacks if they are not protected by a traffic filtering solution.” is flat out false. DNS over HTTP is not a thing and never was/should be. HTTP runs on port 80. DNS is on port 53. It’s a separate protocol doing a separate thing for a separate purpose.

The other issue is the reason people use it and what they believe they are getting out of it. For example, if I can monitor the network you are on to see DNS requests made on port 53, then I can also see your other traffic. DNS over HTTPS only prevents me from seeing the DNS QUERY aka the website you requested being converted from name to number. Once this DNS request is answered, traditional DNS or DNS over HTTPS, you computer then connects to the website over HTTP or HTTPS, two known ports, and does so with an IP address and a path to whatever you are requesting, which is logged and visible to anyone with access to router logs. They cannot see WHAT you are exchanging, but they can see WHERE you are doing it. A lot of people using DNS over HTTPS are doing it for fear of being monitored and think they are safe by using it and that simply isn’t true.

This is simply wrong. For one, there is no such thing as “DNS over HTTP”, just regular DNS. Secondly, the comparison of DoT and DoH has the protocols swapped in whole section, which is totally misleading.

I have learn some excellent stuff here. I wonder how so much effort you put to create any such great informative website.

i have one doubt u said tls uses other port number and https uses different one, but https is combination of http and tls in web if we connect via https that means by default we are connecting 443 port number, so how its different from tls port number? could you please explain it ?

I believe both protocols use TLS, but at different times and for different parts of the query. The DoT standard specified its own port for the new protocol, while the DoH standard opted to go along with all the other HTTPS traffic.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP