Throughout the history of the Internet, traditional Domain Name System (DNS) traffic—for example, user requests to access particular websites—has been largely unencrypted. This means that every time you look up a web address in the "internet phone book," each part of the DNS value chain that takes your request can examine those queries and responses, or even modify them. Encrypted DNS, for example, using DNS over HTTPS (DoH), changes that. Several large Internet companies, such as Apple, Mozilla, Microsoft, and Google, are implementing encrypted DNS through DoH in their services and applications. Mozilla was an early adopter of DoH in its browser in the United States in late 2018, while Apple is implementing it with updates to iOS 14 and macOS 11 in fall 2020, and Google is implementing DoH in Chrome for Android.
The World Wide Internet Telephone Directory
The DNS (Domain Name System) essentially works like the Internet phone book. If we think of the top-level domain (the rightmost part of a web address, like .com, .org, or .info) as equivalent to a country code or area code, the second level (in the case of . eco.de international, it would be .eco.) as the standard number of the company, and the third level (international) as the specific extension, it is possible to have a picture of how this directory is compiled and the way computers work finds the service who want to visit. DNS resolvers are responsible for finding the Internet resource (for example, a website) that you typed on your computer or phone. The first DNS resolver your device is connected to locally is your home or work router, or a public hotspot. This resolver follows a series of steps, checking for any pre-configured settings on the device or a record of previous visits to the given website (called a cache). Otherwise, the resolver will forward the DNS query to the next resolver, for example, the one for the Internet Service Provider (ISP) you are connected to. This resolver will follow the same steps and eventually, if all else fails, it will look up the domain in the "internet phone book".
Against what risks does DoH protect users?
One of the objectives pursued in the development of the DoH protocol was to increase user confidentiality and security by avoiding eavesdropping and manipulation of DNS data. Encrypting your DNS traffic protects you from the possibility that a malicious actor could redirect you to another (malicious) destination, for example, a fake banking website instead of the one you intended to visit. This type of cyber attack is known as a Man-in-the-Middle (MITM) attack. DNS encryption via DoH (or the associated DoT protocol) is the only realistic solution currently available. Monetizing DNS data, for example for marketing purposes, is a potential and realistic privacy issue that the developers of DoH also wanted to address.
Protect users on public networks
When using a public wireless network (Wi-Fi) in hotels, cafes, etc., the DNS query data from your mobile phone can be used to analyze your behavior and track you across networks. Often these DNS services are part of a globally available all-in-one Wi-Fi solution; may not be adequate to comply with local privacy laws and privacy protection settings potentially not. is not activated. Additionally, free public Wi-Fi services, especially when operated or provided by small businesses, are often poorly managed in terms of security and performance, leaving you vulnerable to attacks from your networks. DoH protects users of these public wireless networks because the DNS resolver of the Wi-Fi network is bypassed, preventing user tracking and data tampering at this level. Therefore, DoH provides the ability to protect communications in an untrusted environment.
What is changing with DoH?
DNS over HTTPS by itself only changes the transport mechanism by which your device and the resolver communicate. Requests and responses are encrypted using the well-known HTTPS protocol. Currently, since few DoH resolvers have yet been implemented and work is still underway to technically allow DoH resolvers to be "discoverable", DNS queries using DoH typically bypass the local resolver and are instead handled by a local resolver. external third party DoH provider already designated by the respective software developer or manufacturer. More and more providers decide whether or not to offer their own DoH services.
Do I want DoH on my corporate network?
While DoH is a useful way to protect yourself when using a public hotspot, it may not be the preferred option for trusted network environments, such as corporate networks or corporate services. Internet access purchased from a trusted ISP. Your company, for example, may have legitimate reasons to ban an app that ignores and overrides system default settings; this can even be considered potentially dangerous, since the network administrator cannot control it within the network. . Many of the problems with corporate networks go away if DoH is implemented at the system level rather than the application level. At the system level, for example, a corporate network administrator can configure the system and create a policy that ensures that while the device is on the corporate network, the corporate resolver should be used, but in the While the device is on a public network, DoH should be used to improve security and privacy. However, if DoH is implemented by default at the application level, these various configurations are ignored. There are other concerns about using external DNS resolver via DoH, ranging from potentially slow response times to bypassing parental controls and legally mandated blocking. But in general, many of the possible disadvantages of DoH are outweighed by just as many advantages, depending on the context. There's no question about it: DNS encryption improves user security and privacy. DoH can provide an easy way to do this. But if you do enable DoH, be sure to educate yourself on who will handle DoH resolution, how they handle your data, and whether you can easily disable it when you need to.