Communication protocol | |
Purpose | encapsulate DNS in HTTPS for privacy and security |
---|---|
Introduction | October 2018 |
OSI layer | Application layer |
RFC(s) | 8484 |
Internet security protocols |
---|
Key management |
Application layer |
Domain Name System |
Internet Layer |
DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks [1] by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. [2] By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. [3] [4] In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States. [5] In May 2020, Chrome switched to DNS over HTTPS by default. [6]
An alternative to DoH is the DNS over TLS (DoT) protocol, a similar standard for encrypting DNS queries, differing only in the methods used for encryption and delivery. Based on privacy and security, whether either protocol is superior is a matter of controversial debate, while others argue that the merits of either depend on the specific use case. [7]
DoH is a proposed standard, published as RFC 8484 (October 2018) by the IETF. It uses HTTPS, and supports the wire format DNS response data, as returned in existing UDP responses, in an HTTPS payload with the MIME type application/dns-message. [1] [8] : §4.1 The underlying HTTP layer can be any version of HTTP, though HTTP/2 is the recommended minimum. [8] : §5.2 If HTTP/2 is used, the server may also use HTTP/2 server push to send values that it anticipates the client may find useful in advance. [8] : §5.3
DoH is a work in progress. Even though the IETF has published RFC 8484 as a proposed standard and companies are experimenting with it, [9] [10] the IETF has yet to determine how it should best be implemented. The IETF is evaluating a number of approaches for how best to deploy DoH and is[ when? ] looking to set up a working group, Adaptive DNS Discovery (ADD), to do this work and develop a consensus. In addition, other industry working groups such as the Encrypted DNS Deployment Initiative, have been formed to "define and adopt DNS encryption technologies in a manner that ensures the continued high performance, resiliency, stability and security of the Internet's critical namespace and name resolution services, as well as ensuring the continued unimpaired functionality of security protections, parental controls, and other services that depend upon the DNS". [11]
Since DoH cannot be used under some circumstances, like captive portals, web browsers like Firefox can be configured to fall back to insecure DNS. [12]
Oblivious DNS over HTTPS (ODoH) is an experimental standard, published as RFC 9230 (June 2022) by the IETF proposing a protocol extension to ensure no single DoH server is aware of both the client's IP address and the content of their DNS queries and responses. Oblivious DoH was originally developed as Oblivious DNS (ODNS) [13] by researchers at Princeton University and the University of Chicago as an extension to unencrypted DNS, before DoH itself was standardized and widely deployed. Apple and Cloudflare subsequently deployed the technology in the context of DoH, as Oblivious DoH (ODoH). [14]
In ODoH and ODNS, all DNS requests and responses are routed via a proxy, hiding the client's address from the resolver. Requests and responses are encrypted to hide their contents from the proxy, and only the resolver can decrypt the requests, and the client the responses. Thus, the proxy knows the client address and resolver but not the request, and the resolver knows the proxy and request but not the client address, preventing the client address being linked to the query, unless both the proxy and resolver servers collude. [15] [16] [17] [18]
DoH is used for recursive DNS resolution by DNS resolvers. Resolvers (DoH clients) must have access to a DoH server hosting a query endpoint. [19]
Three usage scenarios are common:
Apple's iOS 14 and macOS 11 released in late 2020 support both DoH and DoT protocols. [20] [21] In iOS, the protocols can be used via configuration profiles.
In November 2019, Microsoft announced plans to implement support for encrypted DNS protocols in Microsoft Windows, beginning with DoH. [22] In May 2020, Microsoft released Windows 10 Insider Preview Build 19628 that included initial support for DoH [23] along with instructions on how to enable it via registry and command line interface. [24] Windows 10 Insider Preview Build 20185 added a graphical user interface for specifying a DoH resolver. [25] DoH support is not included in Windows 10 21H2. [26]
Windows 11 has DoH support. [27]
Android 11 onwards supports DNS over HTTP/3 (DoH3) if a July 2022 system update is installed. [28]
BIND 9, an open source DNS resolver from Internet Systems Consortium added native support for DoH in version 9.17.10. [29]
DNSdist, an open source DNS proxy/load balancer from PowerDNS, added native support for DoH in version 1.4.0 in April 2019. [30]
Unbound, an open source DNS resolver created by NLnet Labs, has supported DoH since version 1.12.0, released in October 2020. [31] [32] It first implemented support for DNS encryption using the alternative DoT protocol much earlier, starting with version 1.4.14, released in December 2011. [33] [34] Unbound runs on most operating systems, including distributions of Linux, BSD, MacOS, and Windows.
DNS over HTTPS is available in Google Chrome 83 or later for Windows, Linux, and macOS, configurable via the settings page. When enabled, and the operating system is configured with a supported DNS server, Chrome will upgrade DNS queries to be encrypted. [35] It is also possible to manually specify a preset or custom DoH server to use within the user interface. [36]
In September 2020, Google Chrome for Android began staged rollout of DNS over HTTPS. Users can configure a custom resolver or disable DNS over HTTPS in settings. [37]
Google Chrome has 5 DNS over HTTPS providers pre-configured which are Google Public DNS, Cloudflare's 1.1.1.1, Quad9's 9.9.9.9, NextDNS, and CleanBrowsing. [38]
Microsoft Edge supports DNS over HTTPS, configurable via the settings page. When enabled, and the operating system is configured with a supported DNS server, Edge will upgrade DNS queries to be encrypted. It is also possible to manually specify a preset or custom DoH server to use within the user interface. [39]
In 2018, Mozilla partnered with Cloudflare to deliver DoH for Firefox users that enable it (known as Trusted Recursive Resolver). [40] On February 25, 2020, Firefox started enabling DNS over HTTPS for all US-based users, relying on Cloudflare's resolver by default. [41]
Opera supports DoH, configurable via the browser settings page. [42] By default, DNS queries are sent to Cloudflare servers. [43]
DNS over HTTPS server implementations are already available free of charge by some public DNS providers.
Many issues with how to properly deploy DoH are still being resolved by the internet community including, but not limited to:
DoH can impede analysis and monitoring of DNS traffic for cybersecurity purposes; the 2019 DDoS worm Godlua used DoH to mask connections to its command-and-control server. [44] [45]
In January 2021, NSA warned enterprises against using external DoH resolvers because they prevent DNS query filtering, inspection, and audit. Instead, NSA recommends configuring enterprise-owned DoH resolvers and blocking all known external DoH resolvers. [46]
DoH has been used to bypass parental controls which operate at the (unencrypted) standard DNS level; Circle, a parental control router which relies on DNS queries to check domains against a blocklist, blocks DoH by default due to this. [47] However, there are DNS providers that offer filtering and parental controls along with support for DoH by operating DoH servers. [48] [49]
The Internet Service Providers Association (ISPA)—a trade association representing British ISPs—and the also British body Internet Watch Foundation have criticized Mozilla, developer of the Firefox web browser, for supporting DoH, as they believe that it will undermine web blocking programs in the country, including ISP default filtering of adult content, and mandatory court-ordered filtering of copyright violations. The ISPA nominated Mozilla for its "Internet Villain" award for 2019 (alongside the EU Directive on Copyright in the Digital Single Market, and Donald Trump), "for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK." Mozilla responded to the allegations by the ISPA, arguing that it would not prevent filtering, and that they were "surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades-old internet infrastructure". [50] [51] In response to the criticism, the ISPA apologized and withdrew the nomination. [52] [53] Mozilla subsequently stated that DoH will not be used by default in the British market until further discussion with relevant stakeholders, but stated that it "would offer real security benefits to UK citizens". [54]
The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.
The Web Proxy Auto-Discovery (WPAD) Protocol is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL.
Link prefetching allows web browsers to pre-load resources. This speeds up both the loading and rendering of web pages. Prefetching was first introduced in HTML5.
A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server for fetching a given URL.
HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.
In HTTP, "Referer" is an optional HTTP header field that identifies the address of the web page from which the resource has been requested. By checking the referrer, the server providing the new web page can see where the request originated.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546
HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.
WebSocket is a computer communications protocol, providing a simultaneous two-way communication channel over a single Transmission Control Protocol (TCP) connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011. The current specification allowing web applications to use this protocol is known as WebSockets. It is a living standard maintained by the WHATWG and a successor to The WebSocket API from the W3C.
DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction, preventing eavesdropping and forgery by a man-in-the-middle.
HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google. HTTP/2 was developed by the HTTP Working Group of the Internet Engineering Task Force (IETF). HTTP/2 is the first new version of HTTP since HTTP/1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to the Internet Engineering Steering Group (IESG) for consideration as a Proposed Standard in December 2014, and IESG approved it to publish as Proposed Standard on February 17, 2015. The initial HTTP/2 specification was published as on May 14, 2015.
DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).
QUIC is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google. It was first implemented and deployed in 2012 and was publicly announced in 2013 as experimentation broadened. It was also described at an IETF meeting. The Chrome web browser, Microsoft Edge, Firefox, and Safari all support it. In Chrome, QUIC is used by more than half of all connections to Google's servers.
A public recursive name server is a name server service that networked computers may use to query the Domain Name System (DNS), the decentralized Internet naming system, in place of name servers operated by the local Internet service provider (ISP) to which the devices are connected. Reasons for using these services include:
DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.
HTTP/3 is the third major version of the Hypertext Transfer Protocol used to exchange information on the World Wide Web, complementing the widely-deployed HTTP/1.1 and HTTP/2. Unlike previous versions which relied on the well-established TCP, HTTP/3 uses QUIC, a multiplexed transport protocol built on UDP.
Client Hints are an extension to the existing Hypertext Transfer Protocol (HTTP) that allows web servers to ask the client for information about its configuration. The client can choose to respond to this request by advertising the requested information about itself through sending the data using a specific part of the HTTP protocol called HTTP Header fields or by exposing the same information to the JavaScript code being executed on a web page. This can then help the server tailor its responses to the client; for example, a server can choose to send a smaller image if a client advertises that they have a very small screen.
{{cite web}}
: CS1 maint: numeric names: authors list (link)The system blocks domains associated with botnets, phishing attacks, and other malicious Internet hosts.