DNS Over HTTPS is a relatively new, still quite experimental protocol. Its aim is to try and resolve a core problem with DNS. Let's talk about it and how you can use it to increase your privacy and security on the web.
What exactly is DoH?
DoH is a protocol for performing encrypted DNS queries over HTTPS. It tackles many problems with DNS, including that by default DNS queries are sent unencrypted, in plaintext. This means that by default anyone listening, like your ISP, can look at all your DNS queries, and this really diminishes our efforts of a fully encrypted web. This can be seen with the below diagram:
DoH secures the communication between the user and the DNS server, which can be visualized in the diagram below:
As you can tell, this brings a number of benefits for the user, which we will go over in the next section.
What benefits do I get from using DoH?
With DoH, queries are sent over HTTPS, a secure protocol commonly used to make secure requests to websites. Using this protocol means that no one can see what website you are requesting the IP address for as the request is encrypted, which greatly improves user security. Like HTTPS, it prevents tampering (you can see how this works in this blog post), which means that no one can manipulate what site you are seeing. There is another effort to prevent DNS tampering called Domain Name System Security Extensions (DNSSEC), however, this has seen small adoption. DoH means that all sites receive DNSSEC like tamper protection. This helps to stop hackers from serving malicious DNS records to their pages. So as you can see, this is clearly beneficial to enable. So let's talk about how to do that.
How do I enable DoH?
We are going to go over two methods of using DoH on your device. If you use firefox, then you're in luck, since it has a DoH resolver built right in.
Enabling DoH in firefox
First, we need to navigate to the preferences. This can be found by going into the menu, then clicking on preferences, or by typing about:preferences in the URL bar:
Once we are in the preferences menu, you need to scroll all the way to the bottom of the general menu, until you find this option:
Click on settings, then scroll down again. You should now see the option to enable DoH:
Click enable, and leave it to use the default resolver. If you wish, you can choose a custom resolver, but we are not going to go over that today.
Please be aware this does not enable DoH system-wide, but rather just within the browser. So if you're not an avid firefox user or you want to enable it system-wide, than follow these instructions below:
Enabling DoH system-wide
There are several software solutions, and we aren't going to go into depth with each one. Instead, we are going to touch on one: DNSProxy
This method takes a bit more effort. First, you need to download the project or clone the project and compile it yourself. From there, you can run the following command:
./dnsproxy -u https://cloudflare-dns.com/dns-query -b 220.127.116.11:53 --all-servers
This will start a DNS Proxy on 127.0.0.1:53, which you can then configure as your DNS server for your device, like so:
This should route all your DNS queries through the DNS proxy, and therefore to the DoH resolver.
And that's it! Today, we have gone over what DNS Over HTTPS exactly is, and how we can use it to secure our DNS queries. As always, I hope you found this helpful. If you have any questions about anything mentioned today, feel free to contact me via the methods listed on my main website. See you next time!
Please note: this was edited on the 14th of August, to correct an error in enabling DNS-Over-HTTPS system wide (Thanks to Mauricio for pointing this out)