DoH – DNS over HTTPS

Image result for homer banner

Seeing the little padlock next to the URL is starting become the norm when surfing the internet. Site owners are starting to make aneffort to implement better security controls in order to secure their site. Even malicious parties are bothering to do so why not? Last year ESET reported that over 51% sites were redirecting to HTTPS which is great news for us all. Although this will continue to be the focus for some, others are shifting their attention towards DNS.

For those who aren’t aware of DNS, I will try and give a basic example. When you visit Facebook.com, DNS is working behind the scenes. Your client will send a DNS request to the DNS Server, basically asking if knows about ‘Facebook.com’. If it does, it will responds with an IP address such as 31.13.70.36.

I think you would agree that life would be incredibly hard if every time you wanted to visit Facebook you would have to remember 31.13.70.36. Not to mention if they changed their public IP. Facebook would have to somehow make all of it’s users aware of the new IP. That would be crazy wouldn’t it?

Instead we use DNS meaning all we need to remember is Facebook.com. All the IP Address malarkey is handled by the DNS servers.
Below is a nice picture explaining it all.

Image result for how dns works
http://www.glocomp.com/dns-under-attack/

So why’s DoH a big deal?
Well if we are talking about privacy, quite a lot. Because DNS is currently not encrypted, anyone on the network can view which sites you are visiting. It doesn’t matter if you are accessing those sites in a secure way, your client will send out a DNS request on port 53 which is not encrypted.

This is how governments and service providers control/monitor internet usage. Basically, even if you are incognito, your broadband provider still sees what you’re doing online. If you are using DoH, they can’t. They would have to install their certificates on the endpoints in order to decrypt the traffic. The traffic will flow as followed:

https://www.techspot.com/news/82061-eff-encrypted-dns-could-help-close-biggest-privacy.html

Because of this, a big debate has kicked off (Shock). Should the government or service providers be able to see what we do online? After all, shouldn’t what we do online be private?

Most people will react by either saying “So what, I’ve got nothing to hide” or “What I do online is private!”. Either are valid but DoH is much bigger than just what our broadband provider can see.

It’s about internet privacy. Something that is sort of a double edge sword. If DNS is encrypted than it makes it really hard to see what someone is doing. If you can’t see what someone is doing, how can you control/monitor what they do?

The government will say, “we can’t see what the bad guys are doing so how can we stop them?”

Companies will say, “Our security systems can no longer see our users traffic and therefore we can’t protect them.”

A person talking on a personal level would say, “Great, because I don’t want people seeing what I’m doing online”.

I can keep going but as you can see there will be pros and cons on either side of the pond. The debate will go on and on but as it does, services are starting to appear. The most known DoH provider being 1.1.1.1 CloudFlare.
https://1.1.1.1/dns/

The service has been running for some time. If you wanted to try the service out in your browser, both Google and Firefox now support DoH and use the Cloudflare service by default. As you can see above, their are apps for mobile devices.

Firefox: https://support.mozilla.org/en-US/kb/firefox-dns-over-https

CloudFlare is just the beginning and more and more DoH providers will start to appear. Which either side you are on, It’s good to start testing now and keeping track of the latest developments.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: