As the first article in this series explained, the Domain Name System (DNS) is one of several processes triggered each time you access a website. While a necessary component, the DNS poses some troublesome security risks. This article will explain how Hyper Text Transport Protocol – Secure (better known as HTTPS) helps protect the privacy of the DNS protocol.
The DNS Over HTTPS
This standard, also known as the “DoH” was introduced quite recently, in 2018. It aims to protect the privacy of the DNS protocol by adding an extra layer of encryption, which is the HTTPS (Hyper Text Transport Protocol – Secure). However, two components are needed for the DoH to work; those components are:
- An application that is DoH enabled, which in this case is the Web browser.
- A server which can support this extra layer of encryption.
When the end user submits their request to the DNS to access a particular website, the data packets involved are encased, or further encapsulated in the data packets that are also being transmitted by the HTTPS. This is then sent over to the server (also known as the DoH Resolver) which supports the DoH standard and sends the request back to the end user in through an encrypted line of network communications.
This approach provides a double layer of protection, so that if any of these data packets were to be intercepted by a malicious third party, they would be rendered into a garbled and useless state. Furthermore, a Cyberattacker monitoring these communications would not be able to easily discern what is DNS traffic versus HTTPS traffic.
Also, since many of the network topologies make use of the Public Key Infrastructure (also known as the PKI, or Asymmetric Cryptography), the only way that data packets can be translated back into a decipherable format are with the Private Key. Thus, in these situations, the chances of this happening are greatly diminished.
As an added benefit, the data packets that are transmitted back and forth between the device of the end user and the DoH resolver contain a minimal amount of information/data, in a further effort to protect the identity of the end user. Also, to mask the entire request made by the end user, only partial domain names and IP Addresses are transmitted back and forth.
Which Web browsers support the DoH?
At the present time, the two Web browsers that have implemented, or are testing, the DoH are:
- Mozilla Firefox: Mozilla was the first entity to adopt the DoH standard, and this was done in a full partnership with Cloudflare. When an end user transmits a request over the Firefox browser, they are then transmitted over DoH Resolvers hosted by Cloudflare, rather than sending them to the traditional DNS servers that also support DoH functionality. This is technically done by overriding the default network settings of the device of the end user. But, because Cloudflare is deemed to be a third party, there have been some privacy issues regarding the actual storage of the PII of the end user. In response to this, Cloudflare says that it will delete any PII within 24 hours of a request being made. Cloudflare has also announced that they will not share the PII with any other entity, unless specifically authorized to do so.
- Google Chrome: Google started testing the DoH standard with 1% of Chrome end users in late 2021 and introduced this functionality in Chrome version 79, which came out on December 11, 2019. But the approach Google is taking in this instance is that it will not override the network settings of the end user’s device and will send the requests to a third party for further processing. The DNS servers that support DoH will be used instead.
Overall, this article has examined what the DoH is all about and how it can be used to address the shortcomings of the DNS. However, because other third parties may be involved in the processing of requests that are transmitted, the question becomes of one of privacy (as illustrated by the Mozilla/Cloudflare partnership) versus security.
Businesses in Corporate America have always used the DNS to blacklist forbidden domain names, as well as using DNS-based firewalls to block domains that have been known to transmit Phishing attacks and malware. By using the DoH, it becomes much more difficult to enforce these processes.
Remember, using the old method of DNS processing offers no security whatsoever, because all the requests are transmitted in a plaintext fashion. DoH offers an important extra layer of protection, by further encrypting those requests.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.