How DoH Is Overcoming DNS Challenges
requests from those who may seek to use the information improperly. The same encryption standards used by banks, credit monitoring services and other sites dealing in sensitive information display to prove their legitimacy is also used with DoH.
It does this by effectively “wrapping” DNS requests with the HTTPS encryption protocol to ensure the server you connect with is the server you intended to connect with, and that no one is listening in those requests because all the traffic is encrypted.
“It makes sure no one is messing with a user by changing the results of a request before it’s returned,” says Barnett.
In addition to improving privacy around device usage—remember, any internet-connected device needs to “phone home” occasionally, therefore initiating a DNS request—DoH also addresses several DNS-enabled attack methods. This includes DNS spoofing, also called DNS hijacking, whereby cybercriminals redirect a DNS request to their own servers in order to spy on or alter communications. By encrypting this traffic, it essentially becomes worthless as a target.
So, while the domain name system has served the internet and its users well for decades, the time may have come for a change.
“The creators of DNS, in their wildest dreams, imagined the system may be able to accommodate up to 50 million domains. We’re at 330 million now. It’s amazing what they achieved,” says Barnett. “But DNS needs to evolve. It’s been a great tool, but it wasn’t designed with privacy or security as a priority. DoH represents the logical evolution of DNS.”
Toward A DoH-Enabled Future
Several major tech players, like Mozilla with its Firefox browser, have already made the leap to using DoH as its preferred method of resolving requests. Many companies, however, would prefer to retain control of DNS and are concerned about applications making independent rogue DNS requests. Losing this control can compromise security as it limits the ability of a business to filter and process these requests.
As application creators strive for better privacy for their users and businesses always look to improve security, a balance must be found. By limiting whether applications can enable DoH, Webroot DNS Protection has designed its agent to retain control of DNS requests. And by also running each request through Webroot’s threat intelligence platform, both privacy and security is improved.
It’s next release, expected in the coming months, will be fully compatible with the new DoH protocol in service to the security and privacy of its users.
Kyle Fiehler is a writer and brand journalist for Webroot. For over five years he’s written and published custom content for the tech, industrial and service sectors. He now focuses on articulating the Webroot brand story through collaboration with customers, partners, and internal subject matter experts.
This guest blog is part of a Channel Futures sponsorship.
- Page 1
- Page 2
Note that before DoH there was already (DoT) DNS over TLS which solves all of the problems that DoH does in a slightly more direct way since it does not need the HTTP layer.
In theory DoH could work better than DoT in a HTTP/2 setting since it avoids problems resulting from having many queries share a single connection, but measurements have not shown this to be the case.
Probably the biggest appeal of DoH is that browser implementers are comfortable with HTTP… plus it adds the ability to make DNS traffic look like HTTP traffic, making it more difficult to filter or otherwise monitor for network administrators. While seemingly a “win” at first glance, there are various reasons to be nervous about this, and probably if a user feels that she needs such protections against the local network operator she should employ a full VPN. It also bypasses DNS-based protections which many admistrators use to protect their users from various malware and other abuse sites.
In addition to the concerns from a network operator view, there are potential privacy concerns with DoH, as web browser or mobile application developers may send user DNS traffic to a very small number of DoH resolvers (almost all browsers in use today are basically made by Google, Mozilla, Apple, and Microsoft). While this is not a necessary result of moving to DoH for DNS, it is at least a possibility that should be considered and guarded against.
I find it slightly disappointing that this somewhat breathless overview of DoH does not really present any of the potential issues with this new technology.