This post has been archived
The content of this post has not been updated since 2015, and may be out of date. Extra care should be taken with any code provided.
Whenever you visit a website, even if you are using a site with SSL, the DNS query that converts the web address into an IP address will be sent unencrypted.
DNS over HTTPS (DoH) has emerged as a contentious topic in the realm of internet privacy and security. This protocol, which encrypts DNS queries within HTTPS connections, offers several advantages and disadvantages that merit careful consideration.
The process works by using third parties to query the URLs. Companies such as Cloudflare and NextDNS are part of the set-up in Firefox and process the DoH queries. From the end of February 2020 Firefox will enable DoH by default for users in the United States.
In the UK, GCHQ has issued a warning about the plans for DoH by default for new encrypted browsers, saying it could increase the risk of cyber-attacks and impede police investigations.
DoH, when enabled, ensures that your internet service providers cannot collect and sell personal information related to your browsing behavior. However, only certain parts of the DNS lookup process are encrypted, and ISPs will still be able to see which IP addresses their users are connecting to.
Enhanced Privacy: One of the primary benefits of DNS over HTTPS is its ability to enhance user privacy. By encrypting DNS queries, DoH prevents third parties, such as Internet Service Providers (ISPs) and malicious actors, from monitoring or intercepting users’ browsing habits and DNS requests. This helps mitigate the risk of surveillance and data collection by unauthorized entities.
Improved Security: DoH strengthens the security of DNS communications by adding an additional layer of encryption. Traditional DNS queries are sent in plaintext, making them susceptible to eavesdropping and spoofing attacks. With DoH, DNS traffic is encrypted using the same secure HTTPS protocol used for web browsing, reducing the risk of DNS-based attacks and tampering.
Bypassing DNS Manipulation: In regions where DNS manipulation or censorship is prevalent, DoH can help users circumvent restrictions imposed by ISPs or government entities. By encrypting DNS queries, users can access blocked websites and services more reliably, safeguarding their freedom of expression and access to information.
DNS Integrity: DoH can enhance DNS integrity by mitigating the risk of DNS spoofing and cache poisoning attacks. By encrypting DNS queries and responses, DoH helps ensure that users receive accurate and untampered DNS information, reducing the likelihood of malicious redirections or phishing attempts.
Cross-Platform Compatibility: DoH is supported by major web browsers and operating systems, making it accessible to a wide range of users without the need for additional software or configuration. This seamless integration enables users to benefit from enhanced privacy and security without significant effort or technical expertise.
Centralisation of DNS Resolution: One of the primary concerns surrounding DoH is the potential centralisation of DNS resolution. By default, DoH relies on a small number of DNS resolvers operated by major technology companies, leading to a concentration of DNS traffic and control in the hands of a few entities. This centralisation raises questions about data privacy, accountability, and potential abuse of power.
Network Management Challenges: DoH can pose challenges for network administrators and ISPs tasked with managing network traffic and enforcing security policies. Since DoH encrypts DNS queries, it becomes more difficult for network operators to inspect and filter DNS traffic for security threats or policy compliance. This loss of visibility and control can hinder network management efforts and increase the risk of security incidents.
DNS Caching and Performance: While DoH offers enhanced privacy and security, it may impact DNS caching and resolution performance compared to traditional DNS protocols. Encrypted DNS queries and responses may incur additional latency and overhead, particularly in environments with high DNS query volumes or limited network bandwidth. This could result in slower DNS resolution times and degraded user experience, especially in resource-constrained environments.
Potential for Abuse: While DoH helps protect users’ privacy and security, it may also be used for malicious purposes, such as evading network security controls, bypassing content filters, or facilitating illicit activities. The anonymity and encryption provided by DoH can make it challenging for security professionals to detect and mitigate DNS-based threats effectively, potentially exacerbating cybersecurity risks.
Compatibility Issues: Despite increasing adoption, DoH may encounter compatibility issues with legacy systems, network infrastructure, and security appliances that rely on traditional DNS protocols for traffic analysis and filtering. Organisations and individuals migrating to DoH must carefully assess compatibility requirements and potential interoperability challenges to ensure a smooth transition without disrupting critical services or compromising security posture.
DNS over HTTPS offers compelling benefits in terms of privacy, security, and accessibility, but it also presents significant challenges and considerations that warrant careful evaluation.
By weighing the pros and cons of DoH and adopting appropriate safeguards, users and organisations can leverage this technology to enhance their online experiences while mitigating potential risks and vulnerabilities.
Unless you live in the United States and are using Firefox DoH will not be turned on by default, however, it is currently available as an option in most popular browsers.
Currently, even with DoH enabled these browsers will only send encrypted HTTP requests if the DNS server is able to process them. If not it will continue to send requests unencrypted.
December 2024
In an era where digital privacy concerns are at the forefront of online discourse, many organisations are reassessing their tools to ensure compliance with data...
→ Continue reading"Simple Analytics: A privacy-focused alternative to Google Analytics"
November 2024
In today’s digital world, protecting your privacy online has become essential. With personal data constantly being shared, stored, and potentially accessed by unauthorised parties, safeguarding...
→ Continue reading"Simple steps to protect your privacy online"
November 2024
With the increasing dependency on web applications in daily operations, securing these applications is paramount to safeguarding data and protecting against breaches. This blog post...
October 2024
Cookieless website tracking is a method of collecting analytics data and monitoring website behaviour without the need for traditional browser cookies. Traditionally, cookies have been...
→ Continue reading"Cookieless website tracking and analytics"
March 2024
As PHP continues to evolve, so do the threats that target its vulnerabilities. Ensuring robust PHP security practices is paramount to safeguarding sensitive data and...
→ Continue reading"PHP Security in 2024: navigating the evolving landscape"
July 2023
Securing a WordPress website involves a combination of practices, including using secure hosting configurations, regularly updating WordPress and its plugins/themes, and implementing strong security measures....
