DNS over HTTPS
|Purpose||encapsulate DNS in HTTPS for privacy and security|
|OSI layer||Application Layer|
|Domain Name System|
DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.
DoH is a proposed standard, published as RFC 8484 (October 2018) by the IETF. It uses HTTP/2 and HTTPS, and supports the wire format DNS response data, as returned in existing UDP responses, in an HTTPS payload with the MIME type application/dns-message. If HTTP/2 is used, the server may also use HTTP/2 server push to send values that it anticipates the client may find useful in advance.
DoH is a work in progress. Even though the IETF has published RFC 8484 as a proposed standard and companies are experimenting with it, the IETF has yet to determine how it should best be implemented. The IETF is evaluating a number of approaches for how to best deploy DoH and is looking to set up a working group, Adaptive DNS Discovery (ADD), to do this work and develop a consensus. In addition, other industry working groups such as the Encrypted DNS Deployment Initiative, have been formed to "define and adopt DNS encryption technologies in a manner that ensures the continued high performance, resiliency, stability and security of the Internet’s critical namespace and name resolution services, as well as ensuring the continued unimpaired functionality of security protections, parental controls, and other services that depend upon the DNS".
Oblivious DNS-over-HTTPS is DoH extension which attempts to prevent DoH resolver from knowing which client requested what domain names by passing all requests via a proxy, which removes clients' addresses. All connections are encrypted in layers, so that proxy does not know the contents of queries and responses and resolver does not know addresses of the clients.
DoH lacks widespread support in operating systems, although Insider versions of Windows 10 support it. Thus, a user wishing to use it usually needs to install additional software. Three usage scenarios are common:
- Using a DoH implementation within an application: Some browsers have a built-in DoH implementation and can thus perform queries by bypassing the operating system's DNS functionality. A drawback is that an application may not inform the user if it skips DoH querying, either by misconfiguration or lack of support for DoH.
- Installing a DoH proxy on the name server in the local network: In this scenario client systems continue to use traditional (port 53 or 853) DNS to query the name server in the local network, which will then gather the necessary replies via DoH by reaching DoH-servers in the Internet. This method is transparent to the end user.
- Installing a DoH proxy on a local system: In this scenario, operating systems are configured to query a locally running DoH proxy. In contrast to the previously mentioned method, the proxy needs to be installed on each system wishing to use DoH, which might require a lot of effort in larger environments.
In November 2019, Microsoft announced plans to implement support for encrypted DNS protocols in Microsoft Windows, beginning with DoH. In May 2020, Microsoft released Windows 10 Insider Preview Build 19628 that included initial support for DoH along with instructions on how to enable it via registry and command line interface. Windows 10 Insider Preview Build 20185 added graphical user interface for setting up DNS over HTTPS resolver.
Recursive DNS resolvers
Unbound, DNS resolver created by NLnet Labs, supports DoH since 1.12.0, released in October 2020. Unbound supports for DNS over TLS (DoT) since version 1.4.14, released in December 2011. Unbound runs on Linux, FreeBSD, OpenBSD, NetBSD, MacOS and Microsoft Windows.
DNS over HTTPS is available in Google Chrome 83 for Windows and macOS and Linux, configurable via the settings page. When enabled, and the operating system is configured with a supported DNS server, Chrome will upgrade DNS queries to be encrypted. It is also possible to manually specify a preset or custom DoH server to use within the user interface.
In September 2020, Google Chrome for Android began staged rollout of DNS over HTTPS. Users can configure a custom resolver or disable DNS over HTTPS in settings.
In 2018, Mozilla partnered with Cloudflare to deliver DoH for Firefox users that enable it. Firefox 73 added another resolver in the options, NextDNS. On February 25, 2020, Firefox started enabling DNS over HTTPS for all US-based users, relying on Cloudflare's resolver by default. On June 3, 2020, Firefox 77.0.1 disabled NextDNS by default because the high load on the NextDNS servers caused by Firefox users was "effectively DDoS'ing NextDNS" (NextDNS is still available in the settings, just not enabled by default). In June 2020, Mozilla announced plans to add Comcast to the list of trusted DoH resolvers.
Public DNS servers
Criticisms and implementation considerations
DoH can impede analysis and monitoring of DNS traffic for cybersecurity purposes; the 2019 DDoS worm Godlua used DoH to mask connections to its command-and-control server. DoH has been used to bypass parental controls which operate at the (unencrypted) standard DNS level; Circle, a parental control router which relies on DNS queries to check domains against a blocklist, blocks DoH by default due to this. However, there are DNS providers that offer filtering and parental controls along with support for DoH by operating DoH servers.
The Internet Service Providers Association (ISPA)—a trade association representing British ISPs—and the also British body Internet Watch Foundation have criticized Mozilla, developer of the Firefox web browser, for supporting DoH, as they believe that it will undermine web blocking programs in the country, including ISP default filtering of adult content, and mandatory court-ordered filtering of copyright violations. The ISPA nominated Mozilla for its "Internet Villain" award for 2019 (alongside the EU Directive on Copyright in the Digital Single Market, and Donald Trump), "for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK." Mozilla responded to the allegations by the ISPA, arguing that it would not prevent filtering, and that they were "surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades-old internet infrastructure". In response to the criticism, the ISPA apologized and withdrew the nomination. Mozilla subsequently stated that DoH will not be used by default in the British market until further discussion with relevant stakeholders, but stated that it "would offer real security benefits to UK citizens".
Many issues with how to properly deploy DoH are still being resolved by the internet community including but not limited to:
- Parental controls and content filters
- Split DNS in Enterprises
- CDN Localization
Inconsistent DoH deployment
Some DoH deployments are not an end-to-end encrypted, but rather only hop-to-hop encrypted because DoH is deployed only on a subset of connections. There are following types of connections:
- from client device (computer or a tablet) to local recursive DNS resolver (home router)
- between recursive DNS resolvers (networking gear)
- from recursive DNS resolver to authoritative DNS resolver (usually located in a data center)
Every connection in the chain needs to support DoH for maximum security.
- Chirgwin, Richard (14 Dec 2017). "IETF protects privacy and helps net neutrality with DNS over HTTPS". The Register. Archived from the original on 14 December 2017. Retrieved 2018-03-21.
- "DNS-over-HTTPS | Public DNS | Google Developers". Google Developers. Archived from the original on 2018-03-20. Retrieved 2018-03-21.
- Cimpanu, Catalin (2018-03-20). "Mozilla Is Testing "DNS over HTTPS" Support in Firefox". BleepingComputer. Archived from the original on 2018-03-20. Retrieved 2018-03-21.
- ""A long-overdue technological shift toward online privacy": Firefox encrypts domain names. Google to follow". What’s New in Publishing | Digital Publishing News. 2020-02-26. Archived from the original on 2020-02-26. Retrieved 2020-02-26.
- Hoffman, P; McManus, P. "RFC 8484 - DNS Queries over HTTPS". datatracker.ietf.org. Archived from the original on 2018-12-12. Retrieved 2018-05-20.
- Hoffman, P; McManus, P. "draft-ietf-doh-dns-over-https-08 - DNS Queries over HTTPS". datatracker.ietf.org. Archived from the original on 2018-04-25. Retrieved 2018-05-20.
- "Experimenting with same-provider DNS-over-HTTPS upgrade". Chromium Blog. Archived from the original on 2019-09-12. Retrieved 2019-09-13.
- Deckelmann, Selena. "What's next in making Encrypted DNS-over-HTTPS the Default". Future Releases. Archived from the original on 2019-09-14. Retrieved 2019-09-13.
- "About". Encrypted DNS Deployment Initiative. Archived from the original on 2019-12-04. Retrieved 2019-09-13.
- Lovejoy, Ben (2020-12-08). "Apple and Cloudflare team up to protect your web privacy". 9to5Mac. Retrieved 2020-12-09.
- June 2020, Anthony Spadafora 29. "Apple devices will get encrypted DNS in iOS 14 and macOS 11". TechRadar. Archived from the original on 2020-07-01. Retrieved 2020-07-01.
- Cimpanu, Catalin. "Apple adds support for encrypted DNS (DoH and DoT)". ZDNet. Archived from the original on 2020-06-27. Retrieved 2020-07-02.
- Gallagher, Sean (2019-11-19). "Microsoft says yes to future encrypted DNS requests in Windows". Ars Technica. Archived from the original on 2019-11-19. Retrieved 2019-11-20.
- "Announcing Windows 10 Insider Preview Build 19628". 13 May 2020. Archived from the original on 18 May 2020. Retrieved 13 May 2020.
- "Windows Insiders can now test DNS over HTTPS". Archived from the original on 15 May 2020. Retrieved 7 July 2020.
- Brinkmann, Martin (6 August 2020). "Windows 10 build 20185 comes with encrypted DNS settings - gHacks Tech News". gHacks Tech News. Retrieved 2020-08-06.
- Wijngaards, Wouter. "Unbound 1.12.0 released". NLnet Labs. Retrieved 24 October 2020.
- Dolmans, Ralph. "DNS-over-HTTPS in Unbound". The NLnet Labs Blog. Retrieved 24 October 2020.
- Wijngaards, Wouter. "Unbound 1.4.14 release". Unbound-users mailing list. Retrieved 24 October 2020.
- Wijngaards, Wouter. "dns over ssl support". GitHub. Retrieved 24 October 2020.
- "DNS over HTTPS (aka DoH)". Archived from the original on 27 May 2020. Retrieved 23 May 2020.
- "Chrome 83: rollout of DNS over HTTPS (Secure DNS) begins". Archived from the original on 1 June 2020. Retrieved 20 July 2020.
- "Google rolls out Secure DNS support in Chrome for Android - gHacks Tech News". www.ghacks.net. Retrieved 2020-09-04.
- "Here's how to enable DoH in each browser, ISPs be damned". Archived from the original on 9 June 2020. Retrieved 28 May 2020.
- Mozilla. "Firefox Announces New Partner in Delivering Private and Secure DNS Services to Users". The Mozilla Blog. Archived from the original on 2020-02-25. Retrieved 2020-02-25.
- Deckelmann, Selena. "Firefox continues push to bring DNS over HTTPS by default for US users". The Mozilla Blog. Archived from the original on 2020-05-27. Retrieved 2020-05-28.
- "Firefox 77.0.1 will be released today to fix one issue - gHacks Tech News". www.ghacks.net. Archived from the original on 2020-06-09. Retrieved 2020-06-09.
- Brodkin, Jon (2020-06-25). "Comcast, Mozilla strike privacy deal to encrypt DNS lookups in Firefox". Ars Technica. Archived from the original on 2020-06-26. Retrieved 2020-06-26.
- "Changelog for 67". Retrieved 23 August 2020.
- "DNS over HTTPS Implementations". 2018-04-27. Archived from the original on 2018-04-02. Retrieved 2018-04-27.
- Cimpanu, Catalin. "DNS-over-HTTPS causes more problems than it solves, experts say". ZDNet. Archived from the original on 2019-11-08. Retrieved 2019-11-19.
- Cimpanu, Catalin. "First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol". ZDNet. Archived from the original on 2019-10-27. Retrieved 2019-11-19.
- "Managing encrypted DNS connections (DNS over TLS, DNS over HTTPS) with Circle". Circle Support Center. Retrieved 2020-07-07.
- Inc, CleanBrowsing. "Parental Control with DNS over TLS Support". CleanBrowsing. Retrieved 2020-08-20.
- Inc, CleanBrowsing. "Parental Control with DNS Over HTTPS (DoH) Support". CleanBrowsing. Retrieved 2020-08-20.
- blockerDNS. "blockerDNS - Products". blockerdns.com. Retrieved 2020-08-20.
- "Protect your privacy with DNS-over-TLS on SafeDNS". SafeDNS. Retrieved 2020-08-20.
- Cimpanu, Catalin. "UK ISP group names Mozilla 'Internet Villain' for supporting 'DNS-over-HTTPS'". ZDNet. Archived from the original on 2019-07-05. Retrieved 2019-07-05.
- "Internet group brands Mozilla 'internet villain' for supporting DNS privacy feature". TechCrunch. Retrieved 2019-07-19.
- "British ISPs fight to make the web LESS secure". IT PRO. Retrieved 2019-09-14.
- Patrawala, Fatema (2019-07-11). "ISPA nominated Mozilla in the "Internet Villain" category for DNS over HTTPs push, withdrew nominations and category after community backlash". Packt Hub. Archived from the original on 2019-12-04. Retrieved 2019-09-14.
- Hern, Alex (2019-09-24). "Firefox: 'no UK plans' to make encrypted browser tool its default". The Guardian. ISSN 0261-3077. Archived from the original on 2019-09-28. Retrieved 2019-09-29.