Zivaro Blog

Using DNS over HTTPS (DOH) to Encrypt DNS Queries

For most of us humans, when we want to visit a particular website it’s easier to type a word than a string of random numbers. Thankfully, the Domain Name System (DNS) was invented back in the early 1980s to help us more easily navigate the internet. Servers that run DNS automatically translate website addresses from […]

For most of us humans, when we want to visit a particular website it’s easier to type a word than a string of random numbers. Thankfully, the Domain Name System (DNS) was invented back in the early 1980s to help us more easily navigate the internet. Servers that run DNS automatically translate website addresses from human language, such as, Zivaro.com, to a numeric IPv4 address or a hexadecimal IPv6 address.

Every time you enter a website address or click a link on the Internet, a DNS query is sent between servers. Due to the public nature of DNS data, and the fact that DNS queries are sent in “clear-text”, such queries are easy to observe and thus are vulnerable to electronic eavesdropping by companies, government organizations, and nosy neighbors. The information that can be revealed about individuals includes what websites they visit, when and how often, and also certain information about a person’s contacts on email or chat. Even if you use a Virtual Private Network (VPN) to connect to the Internet, some VPNs send DNS queries unencrypted to your Internet Service Provider (ISP).

Efforts like the DNS Privacy Project aim to raise awareness of these issues. Additionally, DNS PRIVate Exchange (DPRIVE) – a working group formed by the Internet Engineering Task Force (IETF) – has been seeking to define the problems and evaluate options to mitigate the security threats.  One of its major efforts has been to develop a protocol that allows DNS queries to be sent over HTTPS (DOH). This protocol was standardized in October 2018.

DOH uses a direct connection between the end-user and the web server’s interface. It can be implemented either as a local proxy service running on the end-user’s computer or in the user’s web browser.

As momentum builds for DOH solutions, there are many public DOH services and test servers available. There are also a number of alternatives to DOH that improve DNS privacy, such as DNS over HTTP using HTTP/2, DNS over the QUIC protocol, and the DNSCrypt protocol.

For a more in-depth look at DOH and other alternatives, I invite you to read my latest Network World article, “DNS over HTTPS seeks to make internet use more private.”

Feel free to comment with your experience or your questions about DNS privacy.

Scott Hogg is the Chief Technical Officer (CTO) of Zivaro, formerly GTRI.