Unauthorized interception of DNS traffic provides enough information to ascertain internet users’ thoughts, desires, hopes and dreams. Not only is there concern for privacy from nearby nosey neighbors, but governments and corporations could use that information to learn about individuals’ internet behavior and use it to profile them and their organization for political purposes or target them with ads.
Efforts like the DNS Privacy Project aim to raise awareness of this issue and provide pointers to resources to help mitigate these threats.
The IETF has been working on the problem as well. It formed the DNS PRIVate Exchange (DPRIVE) working group to define the problems and evaluate options to mitigate the security threats. One of its major efforts has been to create methods whereby DNS can be used over HTTP (DOH). Even though DNS queries could take place over HTTP in the clear, that wouldn’t solve the unencrypted privacy issue. Therefore, the protocol development has been on DNS Queries over HTTPS (also referred to as DOH), which was standardized in October 2018.
(While this article addresses DNS over HTTPS, the IETF’s primary published proposed standard for securing DNS traffic is “Specification for DNS over Transport Layer Security (TLS)” (DOT) (RFC 7858). Since DNS traffic uses UDP messages, the IETF also published “DNS over Datagram Transport Layer Security (DTLS)” (RFC 8094). The IETF DPRIVE working group has also published “Usage Profiles for DNS over TLS and DNS over DTLS” (RFC 8310).)
How DNS over HTTPS works
DOH uses a direct connection between the end-user and the web server’s interface. Since the DNS query and response are taking place over a web-based HTTP interface, the DNS response format uses JSON notation. This is different than the traditional DNS query and resource record format and lends itself to simpler integration with web-based applications.
DOH could be implemented as a local proxy service running on the end-user’s computer that is listening for DNS queries using TCP or UDP port 53. This local proxy service converts the DNS queries into an HTTPS connection to the DOH service. In the case of DNS over HTTPS, the connection is made using TCP port 443. (When DNS over TLS is used, then TCP port 853 is employed.)
DOH can also be implemented in the user’s web browser. When the browser makes a connection to a new URL, it connects to the pre-configured DOH service using TCP 853 and retrieves the JSON response containing the resulting IP address.
DOH is of significant interest to content providers because they want to help preserve the privacy of their user and subscriber populations. Content providers desire greater control over DNS for their clients, guaranteeing that their clients are provided accurate information about IP addresses, mitigating man in the middle attacks, and provide a faster service regardless of the client’s operating system or location.
The terms DNS over HTTP (DOH), DNS over HTTPS (DOH), and DNS over TLS (DOT) are often used interchangeably, but it is important to distinguish among HTTP, HTTPS, and TLS underlying this web-based DNS function.
While DOH can make contribute to internet privacy, it’s also important to recognize there are other ways to address the problem.
In the interest of completeness, there are also other methods that have been proposed and are in use that function like DOH. For example, DNS over HTTP can also use HTTP/2. HTTP/2 is an optimized version of HTTP that allows for multiplexed streams for simultaneous fetches, request prioritization, header compression and server push. In this case, the web resolver could use the HTTP/2 Server Push method to send/push DNS updates to the client. This could be used to proactively notify clients that an update has occurred. This could be a more immediate method than the historical approach of waiting for the DNS record’s TTL to expire.
DNS can also work over the QUIC protocol. Quick UDP Internet Connections (QUIC) is an optimized transport layer protocol that provides the reliability of TCP with multiplexed connections and performance optimizations. Although this is currently and IETF draft, there is interest in ways to leverage the QUIC protocol because of its performance improvements for web servers.
There are also other non-IETF methods for providing encryption of DNS queries. DNSCrypt is a method of using encryption to secure traditional DNS messages between an end-user and a resolver. DNSCrypt can support TCP or UDP DNS messages over TCP port 443. The current version 2 of the DNSCrypt protocol specification is documented publicly. DNSCurve is a similar method, but it uses elliptic curve cryptography with the Curve25519 (X25519 algorithm) for securing DNS. DNSCurve has been being developed since 2009.
Implementations of DOH
Momentum is building for DOH solutions and now there are implementation examples proving that these methods work. This list of publicly-available DOH servers provides links to those services and the DNS Privacy Project