DNS-over-HTTPS (DoH) – A New Standard of Web Encryption

What is DNS-over-HTTPS (DoH)? 

Actually, first it might be good to have a refresher on DNS and HTTPS. The Domain Name System (DNS) was created in 1983 to connect numerical IP addresses (e.g. 8.8.8.8) to something more readable to humans (ex. www.cookiepro.com). Hypertext transfer protocol secure (HTTPS) is an internet protocol that sends data from a website to a web browser and encrypts the body of a webpage to protect against cyberattacks. 

DoH is a way of connecting the human readable domain name to their respective numerical IP address via the encrypted HTTPS protocol. Until now, all requests through DNS were done with zero encryption – that’s 36 years’ worth of requests that weren’t encrypted! 

Why it matters? 

The type of information sent through DNS mostly consists of the domain name, so it’s not necessarily a large swath of personally identifiable information, but it could be used for malicious purposes or by ISP’s to harvest information of how their customers are browsing the web. 

By introducing DoH, Firefox and Chrome are giving users the ability to hide their web browsing from even their internet service provider (ISP). This gives users more control on who has access to their browsing habits and provides an extra layer of anonymity and security.  

In theory, DoH should make the web safer and improve user privacy by encrypting DNS query traffic so that third parties cannot intervene and redirect them to phishing websites.  

The main critics of the move are ISP’s who are saying that by not having visibility to the unencrypted DNS, they will not be able provide parental controls or comply with legal obligations to block copyrighted information. However, Firefox has said they will automatically disable DoH if they detect parental controls on the network.  

How to enable it? 

Firefox 

Last week, Mozilla announced that Firefox is rolling out DoH by default to their US users beginning at the end of September as a monitored experiment. If you want to enable early, follow these steps: 

Step 1: Go to the Firefox menu > choose Tools > Preferences.  

Step 2: Go to the General section, scroll to the Network Settings panel, and press the Settings button. 

Step 3: In the popup, scroll and select “Enable DNS over HTTPS,” then configure your desired DoH resolver. You can use the built in Cloudflare resolver (a company with which Mozilla has reached an agreement to log less data about Firefox users), or use one of your choice, from this list.  

Chrome 

Right now, to enable DoH on Chrome you will use some command line methods using these instructions. However, Google announced that they will be releasing as a settings option in Chrome 78 being released at the end of October. Currently, here’s how to enable it for Windows:  

Step 1: Right click Chrome on your task bar > Google Chrome > Properties 

Step 2: Replace the text in the “target” box with the following code:  

chrome.exe –enable-features=”dns-over-https<DoHTrial” –force-fieldtrials=”DoHTrial/Group1″ –force-fieldtrial-params=”DoHTrial.Group1:server/https%3A%2F%2F1.1.1.1%2Fdns-query/method/POST 

Step 3: Restart Chrome and open it back up. To confirm it is set up correctly, visit 1.1.1.1/help and there should be a “Yes” beside “Using DNS over HTTPS”.  

While there are different opinions about DoH, it will be a popular topic of conversation in the cyber world for months to come.