DNS over HTTPS: Difference between revisions

DNS over HTTPS

Communication protocol
Purpose	encapsulate DNS in HTTPS for privacy and security
Introduction	October 2018; 5 years ago (2018-10)
OSI layer	Application Layer
RFC(s)	RFC 8484

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks^[1] by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. Encryption by itself does not protect privacy, encryption is simply a method to obfuscate the data. As of March 2018^[update], Google and the Mozilla Foundation started testing versions of DNS over HTTPS.^[2][3]

In addition to improving security, another goal of DNS over HTTPS is to improve performance: testing of ISP DNS resolvers has shown that many often have slow response times, a problem that is exacerbated by the need to potentially have to resolve many hostnames when loading a single web page.^[1]

Technical detail

DoH is a proposed standard, published as RFC 8484 (October 2018) by the IETF. It uses HTTP/2 and HTTPS, and supports the wire format DNS response data, as returned in existing UDP responses, in an HTTPS payload with the MIME type application/dns-message.^[1][4] If HTTP/2 is used, the server may also use HTTP/2 server push to send values that it anticipates the client may find useful in advance.^[5]

DoH is a work in progress. Even though the IETF has published RFC 8484 as a proposed standard and companies are experimenting with it,^[6][7] the IETF has yet to determine how it should best be implemented. The IETF is evaluating a number of approaches for how to best deploy DoH and is looking to stand up a working group, Applications Doing DNS (ADD), to do this work and develop a consensus. In addition, other industry working groups such as the Encrypted DNS Deployment Initiative, have been formed to "define and adopt DNS encryption technologies in a manner that ensures the continued high performance, resiliency, stability and security of the Internet’s critical namespace and name resolution services, as well as ensuring the continued unimpaired functionality of security protections, parental controls, and other services that depend upon the DNS".^[8]

Many issues with how to properly deploy DoH are still being resolved by the internet community including but not limited to:

• Parental controls and content filters
• Split DNS in Enterprises
• CDN Localization
• Interoperability with 5G networks

Deployment scenarios

DoH is used for recursive DNS resolution by DNS resolvers. Resolvers (DoH clients) must have access to a DoH server hosting a query endpoint.^[5]

DoH lacks native support in operating systems. Thus, a user wishing to use it must install additional software. Three usage scenarios are common:

• Using a DoH implementation within an application: Some browsers have a built-in DoH implementation and can thus perform queries by bypassing the operating system's DNS functionality. A drawback is that an application may not inform the user if it skips DoH querying, either by misconfiguration or lack of support for DoH.
• Installing a DoH proxy on the name server in the local network: In this scenario client systems continue to use traditional (port 53 or 853) DNS to query the name server in the local network, which will then gather the necessary replies via DoH by reaching DoH-servers in the Internet. This method is transparent to the end user.
• Installing a DoH proxy on a local system: In this scenario, operating systems are configured to query a locally running DoH proxy. In contrast to the previously mentioned method, the proxy needs to be installed on each system wishing to use DoH, which might require a lot of effort in larger environments.
• Installing a DoH resolving plugin for the operating system

In all of these scenarios, the DoH client does not directly query any authoritative name servers. Instead, the client relies on the DoH server using traditional (port 53 or 853) queries to finally reach authoritative servers. Thus DoH does not qualify as an end-to-end encrypted protocol, only hop-to-hop encrypted and only if DNS over TLS is used consistently.

Public DNS servers using DoH

DNS over HTTPS server implementations are already available free of charge by some public DNS providers^[9]. See public recursive name server for an overview.

Client support

• AdGuard for Android,^[10] AdGuard for iOS^[11] and AdGuard Home^[12]
• Cloudflare 1.1.1.1 client app for Android and iOS.^[13]
• Cloudflare resolver for Linux, MacOS and Windows.^[14]
• cURL since 7.62.0.^[15]
• DNSCrypt-proxy — Local DNS → DNS over HTTPS proxy.^[16]
• DNSP — Versatile DNSProxy. DoH server (C) and client (PHP) implementation.^[17]
• doh-php-client — PHP Implementation.^[18]
• Firefox since Version 62 and later^[19] — Browser support.^[20]
• Intra — an Android application by Jigsaw to route your DNS queries to a DNS-over-HTTPS server of your choice.^[21]
• nss-tls — a DoH-based resolver plugin for glibc.^[22]
• Technitium DNS Client — C# .NET cross-platform implementation.^[23]
• Technitium DNS Server — A local DNS server with DNS-over-HTTPS forwarder support.^[24]
• NextDNS client apps.^[25]
• Nebulo - DNS over HTTPS/TLS - for Android.^[26]

Criticism

The Internet Watch Foundation and the Internet Service Providers Association (ISPA)—a trade association representing UK ISPs—criticized Mozilla, developers of the widely-used Firefox Web browser, and Google—for supporting DoH, as they believe that it will undermine web blocking programs in the country, including ISP default filtering of adult content, and mandatory court-ordered filtering of copyright violations. The ISPA nominated Mozilla for its "Internet Villain" award for 2019 (alongside the EU Directive on Copyright in the Digital Single Market, and Donald Trump), "for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK." Mozilla responded to the allegations by the ISPA, arguing that it would not prevent filtering, and that they were "surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades-old internet infrastructure".^[27][28] In response to the criticism, the ISPA apologized and withdrew the nomination.^[29][30] Mozilla subsequently stated that DoH will not be used by default in the UK market until further discussion with relevant stakeholders, but stated that it "would offer real security benefits to UK citizens".^[31]

OpenBSD has disabled DoH by default in their builds of Firefox, citing its decision to rely on a CloudFlare server by default for DoH service as a disrespect of operating system configuration, and having potential privacy issues.^[32]

Alternatives

Alternatives to DNS over HTTPS are DNS over TLS, DNSCurve, and DNSCrypt.

See also

• DNS over TLS
• EDNS Client Subnet

References

1. Chirgwin, Richard (14 Dec 2017). "IETF protects privacy and helps net neutrality with DNS over HTTPS". The Register. Retrieved 2018-03-21.
2. "DNS-over-HTTPS | Public DNS | Google Developers". Google Developers. Retrieved 2018-03-21.
3. Cimpanu, Catalin (2018-03-20). "Mozilla Is Testing "DNS over HTTPS" Support in Firefox". BleepingComputer. Retrieved 2018-03-21.
4. Hoffman, P; McManus, P. "RFC 8484 - DNS Queries over HTTPS". datatracker.ietf.org. Retrieved 2018-05-20.
5. Hoffman, P; McManus, P. "draft-ietf-doh-dns-over-https-08 - DNS Queries over HTTPS". datatracker.ietf.org. Retrieved 2018-05-20.
6. "Experimenting with same-provider DNS-over-HTTPS upgrade". Chromium Blog. Retrieved 2019-09-13.
7. Deckelmann, Selena. "What's next in making Encrypted DNS-over-HTTPS the Default". Future Releases. Retrieved 2019-09-13.
8. "About". Encrypted DNS Deployment Initiative. Retrieved 2019-09-13.
9. "DNS over HTTPS Implementations". 2018-04-27. Retrieved 2018-04-27.
10. Brinkmann, Martin (2019-03-21). "AdGuard 3.0 for Android: Redesign, Stealth Mode, Custom Filter Lists". Ghacks Technology News. Retrieved 2019-08-02.
11. Orr, Andrew (2019-07-13). "AdGuard 3 Brings DNS Privacy, 250,000 Filter Rules, Premium Features". The Mac Observer, Inc. Retrieved 2019-08-02.
12. Davenport, Corbin (2018-12-29). "AdGuard officially releases its own DNS service, and it works with Android Pie". Android Police. Illogical Robot LLC. Retrieved 2019-08-01.
13. Cimpanu, Catalin. "Cloudflare launches Android and iOS apps for its 1.1.1.1 service". ZDNet. Retrieved 2018-12-13.
14. "DNS over HTTPS". Argo Tunnel. Cloudflare. Retrieved 20 July 2019.
15. "DoH in curl".
16. "DNSCrypt-proxy v2.0". 2019-08-05.
17. "DNSP". 2019-07-22.
18. "DNS over HTTPS PHP Client". 2019-08-03.
19. "Trusted Recursive Resolver". Mozilla. 15 September 2019. Archived from the original (html) on 12 September 2019. Retrieved 15 September 2019. All preferences for the DNS-over-HTTPS functionality in Firefox are located under the `network.trr` prefix (TRR == Trusted Recursive Resolver). The support for these were added in Firefox 62.
20. "Improving DNS Privacy in Firefox".
21. "Intra on Play Store".
22. "GitHub - dimkr/NSS-TLS: A DNS over HTTPS resolver for glibc". 2019-08-02.
23. "DNS over HTTPS C# Client". 2019-07-18.
24. "Technitium DNS Server as DNS-over-HTTPS Proxy".
25. "nextdns". www.nextdns.io. Retrieved 2019-07-13.
26. "Nebulo - DNS over HTTPS/TLS - Apps on Google Play".
27. Cimpanu, Catalin. "UK ISP group names Mozilla 'Internet Villain' for supporting 'DNS-over-HTTPS'". ZDNet. Retrieved 2019-07-05.
28. "Internet group brands Mozilla 'internet villain' for supporting DNS privacy feature". TechCrunch. Retrieved 2019-07-19.
29. "British ISPs fight to make the web LESS secure". IT PRO. Retrieved 2019-09-14.
30. Patrawala, Fatema (2019-07-11). "ISPA nominated Mozilla in the "Internet Villain" category for DNS over HTTPs push, withdrew nominations and category after community backlash". Packt Hub. Retrieved 2019-09-14.
31. Hern, Alex (2019-09-24). "Firefox: 'no UK plans' to make encrypted browser tool its default". The Guardian. ISSN 0261-3077. Retrieved 2019-09-29.
32. "Google Unveils DNS-over-HTTPS (DoH) Plan, Mozilla's Faces Criticism". BleepingComputer. Retrieved 2019-09-14.

External links

• DNS Privacy Project: dnsprivacy.org
• DNS over HTTPS Implementations
• A cartoon intro to DNS over HTTPS
• DNS over HTTPS: Ultimate Guide
• DNS over HTTPS (DoH) Considerations for Operator Networks