DNS over HTTPS (DoH)

People feel secured by the fact the trafic between their INTERNET browser and the destination websites is very likely encrypted. Most of the people nowadays look for the small padlock at the begining of the website URL and they say that the connexion to that web site is encrpted using SSL certificates.  That will prevent all the network gateway in the path between the client and the server to see what’s inside the paquets transmitted, including your Internet Service Provider.

 

But there are some parts of the communication that are sent in clear text, before the connection between the client and the server has even been established. When the browser wants to go to google.com, the name in the URL needs to be translated to an IP address so the connexion can be initiated to the remote server. The PC or the mobile device use a Domain Name Server (DNS) to do the mapping of that name (google.com) with the IP address (ex : 172.217.13.100). DNS is the ‘internet phonebook’. It turns the domains that humans can read into IP addresses computers can read.

So, why would I care that the name resolution is in transmitted in clear? Well, that means the Internet Service Provider, and some other organizations that have access to this information can simply see the names of the web sites that you are visiting, Is like Canada Post sharing the information of all the destinations (name, addresses) of all the people you’re communicationg with.  Or your cell phone provider sharing the phonumbers of the people you are calling. You might say you have nothing to hide, but I would say that is a matter of privacy…

 

One solution – DNS over HTTPS (DoH)

 

DNS over HTTPS (DoH) is a protocol for performing Domain Name System (DNS) resolution via the HTTPS protocol. This method is used to increase user privacy and security since it will encrypt the trafic for the web site name resolution requests, before the connection is established. DoH is implemented and ACTIVATED by default in browsers like Chrome and Firefox. The DoH mechanism is implemented at the browser level, which is instructed to ignore the DNS configuration located at the operating system level and use the Domain name server resolver chosen by the browser manufacturer – in the case of Firefox, all the DNS queries are encrypted HTTPS and sent to Cloudflare, which is a US private company).

 

So this way, your ISP and local enforcement authorities can no longer see the name of the web sites you visited.

But what does guarantees that Cloudflare will use the DNS information in a much kosher manner?

Moreover, using DoH servers will bypass expensive security protection mechanisms and filtering based on  DNS names (like Cisco’s Umbrella).

Another disadvantage would be that the name resolution time for the hosts on you internal network, if any, will simply be longer since the queries will travel to the DoH servers, wait for time out since the interanl names are not known by these exetrnal entities and then failover to the local DNS servers configured on the OS level.

 

For more information on how to secure you network please contact info@collabpro.ca

 

Leave a Reply

Your email address will not be published. Required fields are marked *