WEBINAR: Securing Remote Workers in a Hybrid Environment

REGISTER TODAY
free trial
Book a Demo
What is DNS-over-HTTPS?

What is DNS-over-HTTPS?

by Josh Lamb on Oct 16, 2019 12:00:00 AM

DNS-over-HTTPS is a DNS encryption method that works over HTTPS, it is also an alternative to the encryption method DNS-over-TLS.

New technology always bring unknown factors. Over the past year, leading web browsers began implementing a new internet protocol called DNS-over-HTTPS (DoH). DoH is a method for performing Domain Name System (DNS) resolution, using the HTTPS Protocol.

This represents a significant change in how browser vendors envision the future of DNS. Traditionally, DNS lookups have always taken place by the Operating System of the device. By using HTTPS, browser vendors are shifting this responsibility onto themselves.

1. How Does DNS Operate Today?

In order to understand why DoH came about, it’s necessary to understand how DNS currently operates. Since the inception of DNS 35 years ago, DNS queries have been performed in clear-text (unencrypted). Any unencrypted communication is vulnerable to exploitation. When it comes to DNS, these exploitations most commonly come in the form of tracking or spoofing.

Tracking is when your data is collected so that a profile is built of your browsing habits. This data can then be sold to advertisers or other parties. (without your knowledge!)

Spoofing is when DNS requests are forged. Mozilla presents an example where a user is connected to the WiFi at a retail store. The store’s DNS server could manipulate your DNS queries so that attempts to do a price comparison on a competitor’s website will fail or redirect.

The natural question to ask is “Who is the biggest perpetrator?” In many cases, the responsible party is the owner of the DNS server the user has connected to by default. Most people are not aware that when they connect to a new network, a DNS provider is automatically assigned to them. If you are at home or at work, this is usually your Internet Provider. If you are traveling to a coffee shop or airport, then by default you’ll use the DNS provider they give you (unless of course you're using a Roaming Client solution like the one DNSFilter provides). Free WiFi providers are often the largest culprits of DNS tracking.

2. What are Web Browsers Doing?

In response to the problems of tracking and spoofing, browser vendors are pushing forward the adoption of DoH. Early in September 2019, Mozilla announced plans to make DoH available by default for Firefox users in the United States. Shortly afterwards, Google announced similar plans for its upcoming build of Chrome. These decisions have introduced controversy and the implications are commonly misunderstood.

However, Mozilla and Google are going through an experimentation phase before fully switching over to DoH. They appear to both have a willingness to work with major DNS security providers (such as DNSFilter). Mozilla is the closest to full implementation, and has already worked directly with DNSFilter to ensure that Firefox is in full compliance with our service.

3. What does this mean for DNSFilter users?

The existence of DoH highlights the importance of maintaining control over your DNS data. By employing protective DNS like DNSFilter to secure your DNS, you are preventing DNS tracking and spoofing. Here are a few takeaways as we move into a DoH world:

  1. Using DNSFilter ensures the safety of your DNS information. Instead of relying on your internet provider or any individual network, you are sending your traffic to a company that won’t sell or manipulate your DNS data. This is not true of many “free DNS” providers.
  2. You have complete visibility. By using our Query Log tool, you are able to see exactly which DNS requests are being made on your network and to restrict users from accessing threats & inappropriate content.
  3. You can prevent DoH from interfering with your access policies. DNSFilter is 100% compatible with Firefox’s DoH and there is no action needed.

How Can I Secure My DNS?

The biggest question raised by DNS-over-HTTPS is how it will affect companies which have their own DNS security, such as DNSFilter. There are two steps you can take to ensure that DoH does not interfere with your filtering policies:

  1. You can prevent your browser from circumventing your policies by restricting DNS resolution to only DNSFilter. This is best done at the firewall level by blocking DoH addresses. This ensures that your DNS filtering policies will always remain in effect. For complete directions, checkout our help article on preventing circumvention. DNSFilter helps to maintain a community list of DoH servers so that system administrators can restrict access.
  2. You can setup DNS-over-TLS as a full-featured alternative. DNSFilter fully supports DNS-over-TLS using our Roaming Clients or DNS Relay. DNS-over-TLS is more comprehensive than DoH, because it encrypts all DNS traffic on your machine (rather than only web browser traffic). For this reason, it is DNSFilter’s preferred security method.

For more information on DNS encryption, check out our on-demand webinar that pits DoH against DoT.
Topics: Featured
Search
  • There are no suggestions because the search field is empty.
Categories

Categories

Latest posts
Fall 2023 G2 Awards Are Here: 29 Badges and Counting For DNSFilter Fall 2023 G2 Awards Are Here: 29 Badges and Counting For DNSFilter

DNSFilter has been named a leader in Secure Web Gateway, DNS Security, and Web Security categories on G2, earning an impressive 29 badges and named in 29 reports. This includes new badges such as High Performer EMEA and Leader Americas in the Web Security category. 

These accolades are a testament to our commitment to our customers. We are particularly proud of our badges for ease of implementation, administration, and quality support. Providing ...

DNSFilter CEO Reacts to France’s “Bill to Secure and Regulate the Digital Space” DNSFilter CEO Reacts to France’s “Bill to Secure and Regulate the Digital Space”

At the end of June, Vint Cerf, one of the “fathers of the internet” published an article on Medium in response to a drafted bill by the French Republic. You can read the original French proposal here, but we’ll also include a version translated into English at the bottom of this article.

First, let me provide a quick summary of what the bill is proposing:

Spurred on by the proliferation of cyber threats and attacks, the government of France is pr...

Your Security Stack & Fantasy Football Team Have More in Common Than You'd Think Your Security Stack & Fantasy Football Team Have More in Common Than You'd Think

If you’re a football fan like many of us at DNSFilter, it’s possible you have a fantasy league in the office or with your friends. Our #sportsball slack channel is keeping many of us going as the weather cools down and the days get shorter. It’s a fun way to discuss and track the football season (and potentially win bragging rights and the respect of your fantasy prowess). 

Now you might be thinking, “How on Earth could fantasy football possibly ...

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.
WhitePapers
WhitePapers
 Webinars
Webinars
 Case Studies
Case Studies
 Product Literature
Product Literature