DNS over HTTPS


DNS over HTTPS is a protocol for performing remote Domain Name System resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March of 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Mozilla launched a version of Firefox that encrypts domain names by default for US-based users.
In addition to improving security, another goal of DNS over HTTPS is to improve performance: testing of ISP DNS resolvers has shown that many often have slow response times, a problem that is exacerbated by the need to potentially have to resolve many hostnames when loading a single web page.

Technical details

DoH is a proposed standard, published as RFC 8484 by the IETF. It uses HTTP/2 and HTTPS, and supports the wire format DNS response data, as returned in existing UDP responses, in an HTTPS payload with the MIME type application/dns-message. If HTTP/2 is used, the server may also use HTTP/2 server push to send values that it anticipates the client may find useful in advance.
DoH is a work in progress. Even though the IETF has published RFC 8484 as a proposed standard and companies are experimenting with it, the IETF has yet to determine how it should best be implemented. The IETF is evaluating a number of approaches for how to best deploy DoH and is looking to set up a working group, , to do this work and develop a consensus. In addition, other industry working groups such as the , have been formed to "define and adopt DNS encryption technologies in a manner that ensures the continued high performance, resiliency, stability and security of the Internet’s critical namespace and name resolution services, as well as ensuring the continued unimpaired functionality of security protections, parental controls, and other services that depend upon the DNS".

Deployment scenarios

DoH is used for recursive DNS resolution by DNS resolvers. Resolvers must have access to a DoH server hosting a query endpoint.
DoH lacks widespread support in operating systems, although Insider versions of Windows 10 support it. Thus, a user wishing to use it usually needs to install additional software. Three usage scenarios are common:

Operating systems

Apple

and macOS 11 will support both DNS over HTTPS and DNS over TLS when they are released in the fall of 2020.

Windows

In November 2019, Microsoft announced plans to implement support for encrypted DNS protocols in Microsoft Windows, beginning with DoH. In May 2020, Microsoft released Windows 10 Insider Preview Build 19628 that included initial support for DoH along with instructions on how to enable it.

Web browsers

Google Chrome

DNS over HTTPS is available in Google Chrome 84, configurable via the settings page. When enabled, and the operating system is configured with a supported DNS server, Chrome will upgrade DNS queries to be encrypted. It is also possible to manually specify a preset or custom DoH server to use within the user interface.

Microsoft Edge

has support for DoH, configurable via the edge://flags URL. If the operating system is configured with a supported DNS server, Edge will upgrade DNS queries to be encrypted.

Mozilla Firefox

In 2018, Mozilla partnered with Cloudflare to deliver DoH for Firefox users that enable it. Firefox 73 added another resolver in the options, NextDNS. On February 25, 2020, Firefox started enabling DNS over HTTPS for all US-based users, relying on Cloudflare's resolver by default. On June 3, 2020, Firefox 77.0.1 disabled NextDNS by default because the high load on the NextDNS servers caused by Firefox users was "effectively DDoS'ing NextDNS". In June 2020, Mozilla announced plans to add Comcast to the list of trusted DoH resolvers.

Opera

supports DoH, configurable via the opera://flags URL. By default, DNS queries are sent to Cloudflare servers.

Public DNS servers

DNS over HTTPS server implementations are already available free of charge by some public DNS providers. See public recursive name server for an overview.

Criticisms and implementation considerations

DoH can impede analysis and monitoring of DNS traffic for cybersecurity purposes; the 2019 DDoS worm Godula used DoH to mask connections to its command-and-control server. DoH has been used to bypass parental controls which operate at a DNS level; Circle, a parental control router which relies on DNS queries to check domains against a blocklist, blocks DoH by default due to this.
The Internet Service Providers Association —a trade association representing UK ISPs—and the Internet Watch Foundation have criticized Mozilla, developer of the Firefox web browser, for supporting DoH, as they believe that it will undermine web blocking programs in the country, including ISP default filtering of adult content, and mandatory court-ordered filtering of copyright violations. The ISPA nominated Mozilla for its "Internet Villain" award for 2019, "for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK." Mozilla responded to the allegations by the ISPA, arguing that it would not prevent filtering, and that they were "surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades-old internet infrastructure". In response to the criticism, the ISPA apologized and withdrew the nomination. Mozilla subsequently stated that DoH will not be used by default in the UK market until further discussion with relevant stakeholders, but stated that it "would offer real security benefits to UK citizens".
Encryption by itself does not protect privacy, encryption is simply a method to obfuscate the data.
Many issues with how to properly deploy DoH are still being resolved by the internet community including but not limited to:
The DoH clients do not directly query any authoritative name servers. Instead, the client relies on the DoH server using traditional queries to finally reach authoritative servers. Thus DoH does not qualify as an end-to-end encrypted protocol, only hop-to-hop encrypted and only if DNS over TLS is used consistently.