DNS over HTTPS Vs DNS over TLS
DNS queries are sent from the client browser to the DNS resolver to convert the domain name into IP address. Till now in the last articles, we have seen that DNS queries are not encrypted even if we use the DNSSEC. Therefore, intruders can see your DNS query and analyze your browsing pattern.
How are DoH and DoT is different from DNSSEC?
DNSSEC is a set of security extensions that are added to DNS queries and responses to authenticate the identity of the root, TLD, and authoritative DNS servers. We have seen in the last article, that DNSSEC provides authentication and integrity of DNS queries and responses but it does not encrypt DNS queries and responses. DNSSEC was designed to [revent the cache poisoning attack. With the help of DoH/DoT, we can encrypt the DNS queries and responses to make DNS traffic more secure.
To overcome this issue, two new protocols are developed- DoH(DNS over HTPPS) and DoT(DNS over TLS), which encrypt the DNS traffic and save it from intruders.
What is DoT (DNS over TLS)?
DoT (DNS over TLS) is a standard for encrypting DNS queries and responses over TLS. TLS is a protocol over the transport layer which is responsible for providing encryption facilities. DoT (DNS over TLS) adds TLS protocol for providing encryption and authentication facilities to DNS queries and responses on top of the UDP protocol used at the transport layer for DNS. It ensures that DNS queries and responses are secured and not forged by outside intruders.
In this structure, DNS queries are not changed. DoT (DNS over TLS )used standard port 853 for communication. It is easy for organizations to segregate the DNS traffic from other regular HTTP traffic as it uses a dedicated port. Although DNS traffic is encrypted, they can monitor the incoming and outgoing DNS traffic over port 853. This gives organizations the facility to monitor the DNS traffic. Both the DNS servers and client browser should support DoT to send DNS over TLS.
What is DoH (DNS over HTTPS)
DoH (DNS over HTTPS) is also an alternative to DoT for encrypting DNS queries and responses over HTTPS. It can also be understood as DNS over HTTPS over TLS, as HTTPS uses TLS as its underlying service. DoH (DNS over HTTPS) uses HTTP protocol instead of directly UDP protocol. DNS packets are encapsulated within HTTP packets, then it adds the TLS layer and sends them to the transport layer. DoH (DNS over HTTPS) uses the same port 443 as HTTPS. Therefore, it is hard for organizations to segregate the DNS traffic from normal HTTPS traffic as both are using the same port. But it provides users more privacy as DNS traffic is camouflaged with HTTPS traffic. Both the DNS servers and client browser should support DoH to send DNS over HTTPS.
Which is better, DoT or DoH?
It is still a debate since both protocols are developed separately. From a network security standpoint, DoT is better since it gives power to organizations to monitor and block the encrypted DNS traffic, which is important for blocking malicious activities. Meanwhile, DoH queries are encapsulated in HTTPS traffic, meaning they cannot easily be blocked without blocking all other HTTPS traffic as well. But DoH provides better privacy to users.
Google chrome, firefox, and edge browser currently support DoH and DoT traffic as well.
