DNS over HTTPS (DoH): Ultimate Guide

Can you imagine a situation when clients are hacked even before they connect to website they are willing to browse. That's the trick which hackers use to hack websites even highly secure websites!!

Are you using SSL certificate on your web server? A website using SSL certificate is considered as safe but SSL certificate installed on server will work only after a successful connection with web server.

OK here we dive deep on this topic and bring out all gold for you :-

What is DNS?

As you try to open website in our browser, the computer send a request to Resolver for IP address linked with that particular domain name.

Usually a resolver will tell each DNS server what domain you are looking for. This request sometimes includes your full IP address. Or if not your full IP address, the request includes subnet of your IP address, which can easily be utilized to figure out your identity, combined with other information.

DNS request

Existing DNS System faults and risks?

Therefore each and every DNS server sees what domain you’re looking for. But more than that, it also means that anyone on the path to those servers sees your requests, too. 

And your request can also be tempered mid-way, mostly by network routers.  

There are a few ways that existing DNS system puts users’ data at risk. The two major risks are tracking and spoofing.

Tracking DNS Requests

Like I said above, it’s easy to take the full or partial IP address info and figure out who’s looking for that specific web site. This means that the DNS server and anyone along the path to that DNS server  or on-path routers ,  can can easily identify and isolate traffic from your machine. They can create a record of all of the web sites that they’ve seen you look up.

The harvested data can be mis-utilized, or sold to third party for further exploitation of network users.

a router offering to sell data

Not only routers and DNS servers poses a security but resolver server is also equally responsible and can exploit your machine as well as network. That’s because the resolver itself — the one that the network gives to you — could be untrustworthy.

Even if you trust and use your network’s recommended resolver, you’re probably only using that resolver when you’re at home. But in case, whenever you go to a coffee shop or hotel or use any other network, you’re probably using a different resolver. And who knows what its data collection policies are?

Beyond having your data collected and then sold without your knowledge or consent, there are even more dangerous ways the system can be exploited.

Spoofing a DNS Request

With spoofing, someone on the network between the DNS server and you can modify the response. Instead of sending you the real server IP address, a spoofer resolver or router will give you the wrong IP address for a site or IP address for copy or spam site. This way, they can block you from visiting the real site or send you to a scam one. Where you may be asked to fill credit card details.

spoofer sending user to wrong site

Again, this is a case where the resolver itself might act nefariously.

For example, let’s say you’re shopping for something at Megamarket. You want to do a price check to see if you can get it cheaper at a competing online store, big-box.com.

But if you’re on Megamarket WiFi network, you’re most probably using their resolver. That resolver could hijack the request to big-box.com and lie to you, saying that the site is unavailable or send you to a fake copy site where listed prices are much higher. In this way store owner can play with your mind and change your decision.

Internet Censorship and DoH

Current DNS system also acts as a tool for state sponsored internet censorship. State controlled routers and resolvers effectively filter the traffic to specific websites.  Censored domain names are not resolved, or an incorrect IP address is returned via DNS hijacking or other means. This affects all IP-based protocols such as HTTP, FTP and POP.

Using DNS over HTTPS it is impossible for router and middle man to read DNS request, as a result impossible to filter it or reply with fake IP address. DoH is not 100% effective solution for disabling internet censorship, still it is a good move.

Fixing DNS Vulnerabilities with DNS over HTTPS (DoH)

Mozilla, Cloudflare and Google claims been working on fixing these vulnerabilities and announce that they are using DoH and their resolver are trusted (who knows reality!).

On-path routers can track and spoof DNS because they can see the contents of the DNS requests and responses. But the Internet already has technology for ensuring that on-path routers can’t eavesdrop like this. It’s the encryption that I talked about before.

Many brands claiming to introducing new features to fix this — Trusted Recursive Resolver (TRR) and DNS over HTTPS (DoH). Because really, there are three threats here:

  1. You could end up using an untrustworthy resolver that tracks your requests, or tampers with responses from DNS servers.
  2. On-path routers can track or tamper in the same way.
  3. DNS servers can track your DNS requests.

the three threats—resolvers, on-path routers, and DNS servers

So how do we fix these?

  1. Avoid untrustworthy resolvers by using Trusted Recursive Resolver.
  2. Protect against on-path eavesdropping and tampering using DNS over HTTPS.
  3. Transmit as little data as possible to protect users from deanonymization.

DNS over HTTPS Implementation

DNS over HTTPS is used for recursive DNS resolution by DNS resolvers. Resolvers (DoH clients) need to have access to a DoH server hosting a query endpoint.

DNS over HTTPS currently lacks native support even in latest operating systems. Thus a user wishing to use it DoH must install additional software. Three usage scenarios are common:

Using a DoH within an application: Some browsers have a built-in DoH implementation and can thus perform queries by bypassing the operating system's DNS functionality. A drawback is that an application may not inform the user if it skips DoH querying, either by mis-configuration or lack of support for DoH.

Installing a DoH proxy on the name server in the local network: In this scenario client systems continue to use traditional (port 53 or 853) DNS to query the name server in the local network, which will then gather the necessary replies via DoH by reaching DoH-servers in the Internet. This method is transparent to the end user.

Using DoH proxy on a local system: In this scenario, operating systems are configured to query a locally running DoH proxy. In contrast to the previously mentioned method, the proxy needs to be installed on each system wishing to use DoH, which might require a lot of effort in larger environments.
In all of these scenarios, the DoH client does not directly query any authoritative name servers. Instead, the client relies on the DoH server using traditional (port 53 or 853) queries to finally reach authoritative servers. Thus DoH does not qualify as an end-to-end encrypted protocol, only hop-to-hop encrypted and only if DNS over TLS is used consistently.

DNS Servers using HTTPS

Company / BrandBase URL Comment
Google https://dns.google.com/experimental
Cloudflare https://cloudflare-dns.com/dns-query Supports both -04 and -13 content-types
Quad9 https://dns.quad9.net/dns-query
Secured: https://dns9.quad9.net/dns-query
Unsecured: https://dns10.quad9.net/dns-query
Secured provides: Security blocklist, DNSSEC, no EDNS Client-Subnet
CleanBrowsing https://doh.cleanbrowsing.org/doh/family-filter/ Anycast DoH server with parental control (restricts access to adult content + enforces safe search)
@chantra https://dns.dnsoverhttps.net/dns-query "toy server" which runs doh-proxy
@jedisct1 https://doh.crypto.sx/dns-query a server which runs another project called doh-proxy, written in Rust.
PowerDNS https://doh.powerdns.org Based on dnsdist-doh branch
blahdns.com Japan: https://doh.blahdns.com/dns-query
Germany: https://doh-de.blahdns.com/dns-query
Run on Go implementation, knot-resolver with DNSSEC
NekomimiRouter.com https://dns.dns-over-https.com/dns-query Runs Go implementation. Does recursion itself with no upstream servers. Toy server may fail, send email if fails
SecureDNS.eu https://doh.securedns.eu/dns-query No Logging & DNSSEC
Rubyfish.cn https://dns.rubyfish.cn/dns-query East China Zone, Based on https://github.com/m13253/dns-over-https
Commons Host https://commons.host ~20 PoPs worldwide, Node.js/playdoh over Knot Resolver.
dnswarden.com Server 1: https://doh1.dnswarden.com
Server 2: https://doh2.dnswarden.com
Runs on dnsdist-doh . No query logging with DNSSEC.
Server 2 enforces safe search and blocks adult content


Client Side tools for DNS over HTTPS

ClientVersionDescription
Firefox 62 DNS Privacy in Firefox
DNSCrypt-proxy  Local DNS → DNS over HTTPS proxy
doh-php-client Supports CloudFlare's , Google's and CleanBrowsing DoH servers
Bromite 67.0.3396.88 How to enable DoH
curl 7.62.0 See DOH-implementation
OkHttp 3.11 See Providers
curl-doh n/a basic stand-alone DoH client that uses curl
Chrome 66 https://bugs.chromium.org/p/chromium/issues/detail?id=799753

Domain over HTTPS with cURL

Set curl what DoH URL to use with the new –doh-url command line option:

$ curl --doh-url https://dns-server.example.com https://www.example.com

How do I make my libcurl code use this?

Use CURLOPT_DOH_URL and/ or CURLOPT_URL to force above DOH DNS server:

curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, "https://curl.sslretail.com/");
curl_easy_setopt(curl, CURLOPT_DOH_URL, "https://doh.sslretail.com/");
res = curl_easy_perform(curl);

DNS over HTTPS Vs DNS over TLS

More often developers and administrators are confused between DNS over HTTPS / TLS, many consider them same because DNS requests are capable to use UDP (TLS) transport layer.  Cloudflare addresses this in the blog post:

There are a couple of different approaches. One is DNS-over-TLS. That takes the existing DNS protocol and adds transport layer encryption. Another is DNS-over-HTTPS. It includes security but also all the modern enhancements like supporting other transport layers (e.g., QUIC) and new technologies like server HTTP/2 Server Push. Both DNS-over-TLS and DNS-over-HTTPS are open standards. And, at launch, we've ensured 1.1.1.1 supports both. - Cloudflare Blog

We think DNS-over-HTTPS is particularly promising — fast, easier to parse, and encrypted.

Other Approaches used with DNS over HTTPS (DoH)

Using Only Trusted Recursive Resolver (Trusted RR)

A normal internet user is not aware with the risks not using DoH rather only trust on the antivirus and anti-malware.

Networks can get away with providing untrustworthy resolver that steal your data or spoof DNS because very few users know the risks or how to protect themselves.

Even for users who do know the risks, it’s hard for an individual user to negotiate with their ISP or other entity to ensure that their DNS data is handled responsibly.

However, we’ve spent time studying these risks… and we have negotiating power. We worked hard to find a company to work with us to protect users’ DNS data.

Cloudflare is providing a recursive resolution service with a pro-user privacy policy. They are self committed to throwing away all personally identifiable data after 24 hours, and to never pass that data along to third-parties. And there will be regular audits to ensure that data is being cleared as expected. ( God knows the truth...)

This means Firefox can ignore the resolver that the network provides and just go straight to Cloudflare. With this trusted resolver in place, we don’t have to worry about rogue resolvers selling our users’ data or tricking our users with spoofed DNS.

Why are we picking one resolver? Cloudflare is as excited as we are about building a privacy-first DNS service. Cloudflare worked with Firefox to build a DoH resolution service that would serve our users well in a transparent way.

But this doesn’t mean you have to use Cloudflare. Users can configure Firefox to use whichever DoH-supporting recursive resolver they want. As more offerings crop up, we plan to make it easy to discover and switch to them.

Protection Against De-Anonymization

In addition to providing a trusted resolver which communicates using the DoH protocol, Cloudflare is working with us to make this even more secure.

Normally, a resolver would send the whole domain name to each server—to the Root DNS, the TLD name server, the second-level name server, etc. But Cloudflare will be doing something different. It will only send the part that is relevant to the DNS server it’s talking to at the moment. This is called QNAME minimization.

image showing resolver only asking the relevant question

The resolver will also often include the first 24 bits of your IP address in the request. This helps the DNS server know where you are and pick a CDN closer to you. But this information can be used by DNS servers to link different requests together.

Instead of doing this, Cloudflare will make the request from one of their own IP addresses near the user. This provides geolocation without tying it to a particular user. In addition to this, we’re looking into how we can enable even better, very fine-grained load balancing in a privacy-sensitive way.

Doing this — removing the irrelevant parts of the domain name and not including your IP address — means that DNS servers have much less data that they can collect about you.

Overall in near future using DoH is a nice hope for internet privacy and security.