DoH: The Pros and Cons of DNS Over HTTPS

DOH-HTTPS-NOIP

First things first, let’s give a little refresher of what DNS is. DNS stands for Domain Name System

DNS is like the white page directory for the Internet. You supply a name, DNS supplies a number. The name, in this case, is specifically a hostname and the number is an IP address. Without DNS you would have to remember every IP address of every website you want to visit.

IP stands for Internet Protocol. An IP address is a unique number that allows computers to locate each other on a network. The Internet is a big network and uses IP addresses to route the communication to the proper host. An IP address looks like this: 204.16.252.112.

So how does it work? What happens when you type a URL into a web browser?

1. Enter Desired Domain (or website)

Alice wants to visit the website www.noip.com, so she types it in the address bar in her favorite web browser.

2. Computer Looks Up the IP Address

Her computer contacts her ISP to get the IP address for noip.com. Her ISP’s DNS server doesn’t know the IP address, so it checks with the domain root servers.

3. Website Loads

The root servers tell Alice’s ISP the IP address of No-IP’s nameservers and her ISP looks up noip.com. Her computer receives the IP address and connects to the website.

What is different about DoH and How does it work?

DoH stands for DNS over HTTPS.  The DoH protocol works much the same way as DNS in that a DNS query is sent to a DNS server to retrieve a website. However, DoH sends query information encrypted in HTTPS rather than plain text (as is the case with DNS). This protocol also works at the app level instead of the operating system level.  This allows DoH queries to be sent to a specific list of DNS servers and bypass ISP-level DNS default settings.

Google notes that “the idea is to bring the key security and privacy benefits of HTTPS to DNS, which is how your browser is able to determine which server is hosting a given website.”

What are the Pros and Cons of DoH?

Pros

  • It prevents man-in-the-middle attacks – since DNS queries are traditionally sent in plain-text, DoH can reduce the risk of man in the middle attacks where someone can see what DNS queries you are running between you and your recursive server because it encrypts your queries.
  • The encryption with DoH can protect sensitive information that DNS hijacking methodologies employ and obfuscate data that could be sniffed by third-party observers and ISPs.
  • Because DoH centralizes DNS traffic to a few DoH enable servers, load time performance is typically improved.

Cons

  • It overrides any sort of DNS filtering your network is doing to provide insight into security and your network info
  • It provides a different experience from web browsing and to the rest of your computer and network. You might have some DNS packets going to one recursive server and then some going through your network settings, so you may have a different experience from browser to the rest of your network.
  • It weakens cyber-security. By encrypting DNS queries, companies using DNS monitoring for cybersecurity measures will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

 

Where is DoH being used currently?

Currently, the only major browsers that are offering support for DoH are Chrome 78 or higher and Mozilla Firefox. Safari may offer DoH support in the future, but this has not been announced yet.

How does this affect No-IP services?

Long story short…this does not affect No-IP services. It actually shouldn’t really affect your Internet browsing either. If DoH does fail for any reason, your browser will just fall back to the traditional DNS lookups.

Have questions or concerns about DoH? Leave your comments below.