Enabling DNS over HTTPS (DoH): Advantages and Best Practices

First thing’s first, let’s clear up the basics. Not everyone understands exactly what DNS is and how it works.  Let’s start with the DNS part: When you surf or browse the Internet or ever use any resources (e.g. Netflix) on the Internet, you typically reach them by entering the “name” of the resource that you would like to use. Now, machines are not very good at names. They use numbers (IP address). And the Domain Name System’s job is to translate names to numbers and vice versa (a process known as domain resolution). The DNS is something that the average user rarely spares a thought for, and it used to be something configured and hidden very deeply in the innards of your operating system.

All the users are connected to their Internet Service Provider/ Mobile Operator by DNS. There are some independent or third party DNS servers, Google DNS, Cloudflare Public DNS and Open DNS.  Internet service providers in the world often use their provisioning of DNS services as a way to eavesdrop on what their customers do online. This is not very popular, certainly amongst privacy advocates, but it is quite common. The providers sell the knowledge gained about user behavior to companies that use the information to and analyze behavior and approach individual users with sales messages.

What is DNS over HTTPS (DoH)?

Basically, DNS over HTTPS is an extra layer over DNS for privacy and security. Presently we find that some of the modern web browsers are raising an alert if any sites uses HTTP by showing “Not Secure”. Also some of them are including the encryption as in-built, this ensures that if anybody is viewing or snooping on the activity done online. The same cannot be tampered as the content is visible but cannot interfere. With the introduction of “DoH” resolver in the HTTPS, which uses encryption, prevents unauthorized snooping or access, making it quite secure.

Man-in-the-middle attacks (a common cybersecurity concern) are more or less useless if DNS over HTTPS is enabled. Since all DNS requests are encrypted, a 3rd party observer cannot make sense of the data they would gleam.

If that data is not encrypted (such as in the DNS over HTTP protocol), it is easy for a 3rd party malicious observer to see what domains you are trying to access. In contrast, when DoH is active, this data is encrypted and hidden within the enormous amount of HTTPS data which passes through the network.

Google Chrome Browser

DNS over HTTPS is available in Google Chrome 83 for Windows and macOS, configurable via the settings page. When enabled, and the operating system is configured with a supported DNS server, Chrome will upgrade DNS queries to be encrypted. It is also possible to manually specify a preset or custom DoH server to use within the user interface.  You simply search "Security" in setting pane.

Build your own DoH Server?

TL:DR

We use open source software "PowerDNS" to build our own custom DoH Server. You may review the documentation and implement your own.  We spend about 60 minutes and have it up and running. Alternative, is to use Google/ Cloudflare/ OpenDNS provided DoH services.

https://en.wikipedia.org/wiki/PowerDNS 


James Huang 2024年8月11日
このポストを共有
タグ
One Thousand “True” Fans