DNS Over HTTPS (DoH) and DNS Over TLS (DoT)

# CHAPTER 12

DNS Over HTTPS (DoH) and DNS Over TLS (DoT) #

1. Introduction #

In Chapter 11, we learned that DNSSEC protects the *authenticity* of a DNS record. However, DNSSEC does absolutely nothing to protect the *privacy* of the user. For the first 35 years of the internet, every single DNS query was sent in plain, readable text over Port 53. Even if you use a secure HTTPS connection to browse a website, the initial DNS query revealing *which* website you are connecting to is broadcasted loudly for your ISP, the government, and local hackers to read. In this chapter, we will explore the modern privacy revolution: Encrypted DNS. We will analyze the mechanics and differences between DNS over HTTPS (DoH) and DNS over TLS (DoT).

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Identify the privacy vulnerabilities inherent in legacy Port 53 DNS queries.

• Explain the mechanism of Encrypted DNS.

• Differentiate between DNS over HTTPS (DoH) and DNS over TLS (DoT).

• Understand how ISPs and corporate firewalls monitor traditional DNS traffic.

• Configure modern web browsers to utilize secure DNS protocols.

3. Beginner-friendly Explanations #

The Clear Envelope Problem: Imagine you want to send a highly confidential, encrypted letter to a doctor. You use unbreakable math (HTTPS) to scramble the letter. You put it in an envelope. But on the *outside* of the envelope, you write in giant, clear letters: *"DELIVER TO: PSYCHIATRIC HOSPITAL, 123 MAIN ST."* The postman (your ISP) cannot read your private letter, but they know exactly who you are talking to. They log this information and sell it to pharmaceutical advertisers.

The Solution (Encrypted DNS): DoH (DNS over HTTPS) takes the instruction on the outside of the envelope and encrypts it inside a secure tunnel. To the postman, your traffic just looks like random, scrambled data flowing to a generic server (like Cloudflare or Google). They have no idea what website you are asking for.

4. How Traditional DNS is Monitored #

When you use traditional DNS, your queries are sent unencrypted over UDP Port 53. Because it is plain text on a standardized port, corporate firewalls and authoritative governments easily intercept it.

• Corporate Filtering: If an employee asks for facebook.com, the corporate firewall sees the plain-text request on Port 53, intercepts it, and returns a block page.

• ISP Tracking: In the US, ISPs are legally allowed to log every single unencrypted DNS request you make and sell that profile to data brokers.

5. DNS over TLS (DoT) #

DoT encrypts the DNS query using the exact same TLS cryptography that secures the web.

• It operates on a dedicated port: TCP Port 853.

• *Pros:* It secures the query from local hackers and ISP snooping. It is implemented at the Operating System level (Android natively supports DoT).

• *Cons:* Because it uses a dedicated port (853), a restrictive corporate firewall or an oppressive government can simply block Port 853 entirely, disabling encrypted DNS and forcing users back to unencrypted Port 53.

6. DNS over HTTPS (DoH) #

DoH is the ultimate privacy protocol. It takes the DNS query, encrypts it, and hides it entirely *inside* regular web traffic.

• It operates on TCP Port 443 (The exact same port used for standard HTTPS web browsing).

• *Pros:* It is virtually impossible to block. If a corporate firewall attempts to block DoH by closing Port 443, they will simultaneously block the entire World Wide Web, breaking the internet for the company. DoH perfectly camouflages DNS queries within normal web traffic.

• *Cons:* It bypasses corporate security filters. Network administrators hate DoH because it prevents them from utilizing DNS-based security to block employees from accidentally visiting malware domains.

7. Browser Support and Adoption #

The adoption of DoH is driven primarily by Web Browsers, bypassing the Operating System entirely. Google Chrome and Mozilla Firefox now include settings to enforce "Secure DNS." If enabled, Chrome ignores the weak DNS settings provided by your local Wi-Fi router and exclusively uses DoH to communicate securely with public resolvers like Cloudflare (1.1.1.1).

8. Best Practices #

• Enable Secure DNS on Public Wi-Fi: If you are at an airport or coffee shop without a VPN, enabling DoH in your browser is critical. While it doesn't encrypt your final IP destination (a hacker can still see the IP you connect to), it entirely obscures your initial DNS lookups from packet sniffers on the local network.

9. Common Mistakes #

• Assuming DoH Provides Total Anonymity: A major misconception. DoH is not a VPN. While DoH hides the *DNS request* from your ISP, once the request is complete, your computer still connects to the website's IP address. Your ISP can see the IP address you connected to. If that IP address belongs to reddit.com, the ISP still knows you visited Reddit.

10. Mini Project: Enable DoH in Your Browser #

Take control of your privacy right now.

1. 1. Open Google Chrome.

1. 2. Click the three dots (Menu) -> Settings -> Privacy and security -> Security.

1. 3. Scroll down to "Use secure DNS".

1. 4. By default, it is set to "With your current service provider" (which might not be encrypted).

1. 5. Switch it to "With" and select Cloudflare (1.1.1.1) or Google (Public DNS) from the dropdown.

1. 6. *Result:* All of your future browser DNS queries are now heavily encrypted inside HTTPS tunnels, totally invisible to your local ISP!

11. Practice Exercises #

1. 1. Explain why a network administrator managing a high-security corporate network might actively attempt to block DNS over HTTPS (DoH) traffic.

1. 2. Compare the fundamental architectural difference between how DoT and DoH attempt to bypass network censorship.

12. MCQs with Answers #

13. Interview Questions #

• Q: Differentiate between DNSSEC, DoT, and DoH. What specific vulnerability does each protocol address?

• Q: Explain the mechanical strategy DoH uses to circumvent ISP-level DNS censorship.

• Q: From a cybersecurity standpoint, why do enterprise Security Operations Centers (SOCs) consider widespread DoH adoption a threat to their network visibility?

14. FAQs #

Q: If I use a VPN, do I still need to care about DoH? A: Usually, no. A high-quality VPN encrypts 100% of your traffic (including all legacy Port 53 DNS queries) and routes them through the secure tunnel to the VPN provider's DNS servers. The ISP is completely blinded by the VPN tunnel.

15. Summary #

In Chapter 12, we addressed the glaring privacy flaw of the modern internet. We learned that legacy DNS operates in plain text, allowing ISPs and corporate firewalls to effortlessly monitor and censor browsing habits. We explored the cryptographic evolution of the protocol, distinguishing between DNS over TLS (DoT), which encrypts queries on a dedicated port, and DNS over HTTPS (DoH), the highly controversial protocol that leverages Port 443 to perfectly camouflage DNS queries within standard web traffic. By understanding these technologies, we possess the architectural knowledge to secure digital privacy against surveillance and interception.

16. Next Chapter Recommendation #

We have secured the query. Now, let's explore where these massive servers physically reside. How do tech giants scale their DNS infrastructure? Proceed to Chapter 13: DNS in Cloud Computing.