DNS Over HTTPS: Remote DNS Resolutions by HTTPS Protocol
If you use standard internet protocols, hackers can see part of your browsing history. They could reroute some of your queries, steal your private information, and more. DNS over HTTP protects your queries so private information stays private.
Some browsers use DNS over HTTP by default. Choose those browsers, and you won’t need to do anything else to protect your data. But be aware that some people don’t like the technology. If you implement DOH DNS, you could alienate them.
What is DNS over HTTPS?
Protect a sensitive part of web browsing with DNS over HTTP. The tool wraps your data with encryption, which makes information harder to steal.
Firefox explains encrypted DNS this way. Using the technology helps them to "encrypt domain names." Unpacking this explanation will take us a few more words. We'll get to that in a moment.
But for now, know that DNS over HTTP involves encrypting the domain name lookup process. As your server resolves your human-friendly query (like www.okta.com) to a numeric value (like 101.235.2326), the communication stays safe behind a layer of encryption.
People use various terms to describe the process, such as:
- Encrypted DNS
- DoH (a condensation of DNS over HTTP)
- DoH DNS
- Oblivious DNS over HTTPS
All of these terms describe the same thing.
How does DNS over HTTPS work?
Think of DNS over HTTP as a tool you will use to protect the very first part of your web browsing process.
Imagine the moment at which you want to visit a website. You know its human-friendly address, so you type in www.website.com. You've kicked off a process that involves:
- Query. Websites don’t use human-friendly addresses. They rely on a series of numbers and periods (known as the DNS system). Your typing must be translated.
- Programming. Your browser picks a DNS translator (or you specify one) to handle the lookup for you.
- Resolution. Your DNS translator asks servers to help with translation. They trade information back and forth, and typically, that talk isn’t encrypted.
Every router you use in this system (and chances are, you use many) can see the information you’re requesting. A malicious actor could either eavesdrop and understand where you want to go, or that person could intercept the query and take you somewhere else altogether.
With the DNS over HTTPS system, your queries move through the HTTPS system (rather than moving as a DNS packet). They’re encrypted end to end, so no one can sniff them, see them, or change them.
How to implement DNS over HTTP
Protecting your data and safeguarding users is critical. If you're ready to start using DoH systems, you have several implementation options.
You could:
- Switch browsers. Some companies, like Firefox, started experimenting with DoH years ago, and they implemented this option by default. Use a browser like this, and you will always encrypt DNS lookups.
- Install proxies. Place an intermediary between your server and the outside world. Install DoH options here, and ensure that lookups are protected as they move in and out through the proxy.
- Wait. Cloudflare, Apple, and Fastly joined forces to create a DoH proxy system called Oblivious DNS. The companies hope this solution will become an industry standard. If it does, you won't need to do anything at all, as the solution will move to all browsers in time.
Be sure to query your audience before you take this step. Some people don't appreciate the protections that come with DNS over HTTPS.
For example, European ISPs are required to block content considered illegal. They may also block content they consider unsavoury. DNS over HTTPS operates like a workaround, rendering the blocks useless. This functionality draws ire, and it could become problematic in some environments.
We've explained a tiny corner of the DNS system in this article. Are you ready to learn more? Read our comprehensive guide to DNS on our blog.
References
"A Long-Overdue Technological Shift Toward Online Privacy:" Firefox Encrypts Domain Names. Google to Follow. (February 2020). What's New in Publishing.
IETF Protects Privacy and Helps Net Neutrality. (December 2017). The Register.
What's Next in Making Encrypted DNS-over-HTTPS the Default. (September 2019). Mozilla.
Cloudflare, Apple, and Others Back a New Way to Make the Internet More Private. (December 2020). Ars Technica.
UK ISP Group Names Mozilla 'Internet Villain' for Supporting 'DNS over HTTPS.' (July 2019). ZD Net.