DNS over HTTPS (DoH)

What is DNS over HTTPS(DoH)

DNS over HTTPS (DoH) is a protocol used for remote Domain Name System (DNS) resolution via the HTTPS protocol. By using this protocol, we can increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. HTTPS protocol encrypt the data between the DoH client and the DoH-based DNS resolver.

DoH encrypts DNS queries, which are disguised in a regular HTTPS traffic -- hence the DNS-over-HTTPS name. These DoH queries are sent to specially build DoH capable DNS servers (also known as DoH resolvers), which resolve the DNS query inside a DoH request, and reply to the user, also in an
encrypted manner.

Support for DoH

One of the main points that DoH supporters have that DoH prevents ISPs from tracking users  DNS requests, and hence prevents them from tracking user’s web traffics. Yes, DoH prevents the ISP from viewing a user's DNS requests as the request and response from the DoH server is encrypted.

However, DNS is not the only protocol involved in web browsing of a website. There are still countless other data points that ISPs could track. Anyone saying that DoH prevents ISP’s from tracking users is either lying or doesn't understand how web traffic works. But this is also true for users that access HTTPS websites. The ISPs will know to what site the user is connecting because the HTTPS protocol is not completely safe, and few parts of the HTTPS connections are not encrypted. Furthermore, ISP’s know everything about everyone's traffic anyway. By design, they can see the IP address the user is connecting when accessing a website.

Does it really address Privacy Concerns

This IP address can't be hidden. Knowing the final destination IP address reveals to what website a user is connecting, even if everything about his traffic is encrypted. Any claims that DoH prevents ISPs from tracking users are misleading.DoH merely inconveniences ISP’s by blinding them to one vector, but they still have plenty of others.

Pain for Enterprises

For enterprises, DoH has become a nightmare since it's been proposed to the world. DoH basically creates a mechanism to overwrite centrally-imposed DNS settings in an organization and allows employees to use DoH to bypass any DNS-based traffic filtering solutions.

System administrators need to keep an eye on DNS settings across operating systems as having hundreds of apps with their own unique DoH settings is a nightmare, as it makes monitoring for DNS hijacking almost impossible.

Experts say companies are irresponsible for pushing a half-baked protocol that doesn't actually protect users and causes more problems than it fixes, especially in the enterprise sector.

Gain for Others with a Risk Factor

Once DoH becomes widely available, it will become all employee’s favorite method for bypassing enterprise blacklists domain that's normally blocked at their workplaces.

Some may use it to access movie streaming sites or adult content, but once enabled, employee’s may also accidentally visit malware and phishing sites.

When the DNS protocol is encrypted, an organization can no longer use  DNS query's data (query type, response, originating IP, etc) to know if a user is trying to access a known any bad domain. They also understand the need to protect DNS queries from being snooped. However, if it would be up to them, they'd argue for pushing DNSSEC and DNS-over-TLS (DoT), a protocol similar to DoH, but which encrypts the DNS connection downright, rather than hiding DNS traffic inside HTTPS.

Another major talking about DoH has been users can bypass DNS-based firewalls that have been set up at national or ISP levels, usually for the purpose of online censorship and to keep users from accessing politically sensitive content.

The problem is that DoH also bypasses DNS-based blacklists put in place for legitimate reasons, like those against accessing child abuse websites, terrorism content, and websites with stolen copyrighted material.

The GCHQ, Britain's intelligence service, has also criticized both Google and Mozilla, claiming the new protocol would impede police investigations and that it could bypass existing government protections against malicious websites by bypassing its internet surveillance systems.

And another major issue that most security experts have had with DoH are the recent claims that it can help people living in oppressive countries. This is because DoH does not hide users from tracking but only hides DNS traffic, makes everything else visible.

Suggestion for Encrypting existing DNS Traffic

They argue that encrypting DNS traffic should be done on the current infrastructure, rather than create another (useless) layer of DoH resolvers, which then sits on top of the existing DNS layer. Encrypting the DNS traffic is good, but if this could be done without involving any additional parties. The general idea is that DNS-over-HTTPS is not what we have thought. It doesn't actually protect users from having their web traffic monitored.

Users who want to hide their web traffic should still look at VPNs and Tor as safer solutions, with DoH as an extra layer of protection, when available. Enterprises will need to invest in new ways of monitoring and filtering traffic, as the era of DNS-based systems seems to be coming to an end.


As the usage of DoH increases in future it will reveal the true benefits and risks associated with it.

Team Intelliroot.

Post a Comment