DNS over HTTPS (DoH)

Introduction

The Domain Name System (DNS) is a critical protocol for the functioning of the Internet. The computers that make up the Internet are addressed using IP addresses; however, the people that use the Internet generally don’t want to memorize these IP addresses and use them to direct their traffic (with the notable exception of DNS servers). Instead, people use domain names to direct their traffic, which makes things easier for the user to remember and easier for advertisers to get people to actually visit their websites. By using DNS servers, a client computer can find the IP address associated with the domain requested by the user.

One of the main issues with DNS is that it has significant impacts on the privacy of the user. While many Internet protocols were not made secure and private by design, the use of SSL (and later TLS) enabled traffic to and from a server to be encrypted. As a result, it’s possible to determine that two computers are communicating with one another but not see the data being transmitted if, for example, they’re using HTTPS. The only issue with this is that finding the IP address to communicate with requires the client to perform a DNS lookup if they don’t already know the domain.

Since these DNS lookups are not encrypted, this allows anyone monitoring these requests to know the websites that a user is attempting to visit. As a result, monitoring DNS requests is a common way that governments and organizations invade the privacy of Internet users.

What is DoH?

DNS over HTTPS (DoH) is defined in RFC 8484 and designed to fix this privacy problem. The concept is straightforward: Instead of sending DNS requests and responses out in cleartext, they’ll be sent wrapped in an HTTPS GET or POST request. (Read more...)