What’s DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) and why it’s controversial

Domain Name System(DNS) is at the backbone of the modern internet even though it’s mostly under the carpet for the ordinary user. Every time you visit a website, send emails and even use an App, you are inadvertently using DNS.

How it works it not a mystery. Regular visitors to this site probably already know. In summary DNS translates human-readable website names or domain names into corresponding numeric IP addresses that computers understand. Every time you visit dignited.com, your Operating System translates or more accurately resolves the domain name dignited.com to an equivalent IP address 139.162.236.201. This is the address of the server hosting the website files and articles. This translation is done by series of DNS Servers.

Advertisement - Continue reading below

But how does your computer’s Operating System(OS) know who to ask for records of millions of websites? This is where your Internet Service Provider(ISP) comes in.

Your Internet Provider supplies you with internet device such as a router or MiFi that has a list of DNS servers that resolve your DNS queries. These DNS servers are managed by your Internet provider and other third parties. What about in the case of your smartphone? Turns out, your smartphone picks DNS servers from your mobile network at moment it connects to the network.

Related post: How to change the DNS Server on your Phone

So this is how your Internet provider knows which websites you browse. They can use this knowledge for good such as speeding up commonly visited websites through a process called caching. Internet providers cache popular websites like Youtube, Facebook, Google such that content is stored in their local systems instead of being requested everytime from upstream websites.

They can also censor content such as porn sites, extremist sites or anything deemed of national security by the government through a directive.

HTTPS and SSL

Now lets talk about DNS-over-HTTPS (DoH) and its cousin DNS-over-TLS (DoT). First, we have to talk about HTTPS. You probably know about HTTPS, no? HTTPS stands for Hyper Text Transfer Protocol Secure which is an internet standard for accessing content from remote servers securely.

When you fill in your username and password while logging in to Facebook for instance, HTTPS through your web browser such as Firefox turns your details into gibberish, a process called encryption such that bad guys snooping the network don’t get your login details. When John Doe logins with username john and password 1234password(not secure), HTTPS turns these into something like J8L+s3tc0TwxqiTbEmBCT/Zn+ALef2SPHwqncaJMCBktUOIz7uANIE+ which looks like your cat danced on your keyboard. This just doesn’t happen to login details, it happens to literally any content accessible on the web including articles, videos and images. So neither your internet provider nor snooping government can know what you are reading online. This is why the Chinese government banned Wikipedia when they switched to HTTPS.

HTTPS uses yet another standard called Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL) to do this encryption.

DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)

So DoH and DoT build on the mechanisms of HTTPS to hide your DNS queries from your Internet Provider. Using TLS/SSL, your computer will encrypt domain name queries such that your Internet provider can’t tell exactly what websites you are trying to visit. But you have to specify manually another DNS server such as Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8 or any of these public DNS servers other than your Internet providers.

A number of browser vendors are moving to incorporate DoH/DoT in their software starting as early as mid last year.

Related post: DNS over HTTPS (DOH) is coming to Firefox and Android P

How does it work? So lets say you are visiting facebook.com with 1.1.1.1 configured as your DNS server.

  1. You enter facebook.com in browser address
  2. Browser asks operating systems for DNS server
  3. Operating system replies with Cloudflare’s 1.1.1.1 as DNS server
  4. Browser asks 1.1.1.1 for IP address of facebook.com. But browser encrypts facebook.com to something gibberish such as f2SPHwqncaJMCBktUOIz7uANIE+7y.
  5. Internet provider passes DNS request to 1.1.1.1 but doesn’t really know you’re asking for facebook.com. It only sees 2SPHwqncaJMCBktUOIz7uANIE+7y.
  6. Cloudflare’s 1.1.1.1 responds with IP address of facebook.com as 102.132.96.35.
  7. Browser now connects to facebook.com server 102.132.96.35. and you start browsing the site and it’s content.

Now note the caveat here is that while your Internet provider doesn’t know your DNS queries, the IP address in response is still in plain sight. So your Internet provider can still block facebook.com by the IP.

Related post: Speed up your internet with any of these public DNS Servers

Firefox which vowed to incorporate DoH/DoT in its forth coming released was slammed by  trade association for internet service providers in the UK last week. In fact it was nominated for this year’s award of “Internet Villain” because its plans to support the DoH in the coming Firefox releases. The ISPs argued that Mozilla’s plans would “bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK”.

So while DoH/DoT will give users better privacy over their online activities, it simultaneously undermines moral efforts or obligations by Internet Providers to keep the internet safe. How will Internet provider for instance block child porn sites if they can’t tell what’s going through their pipes? This is the controversy with DoH/DoT and in fact other privacy technologies such as proxies and VPNs. On the other hand these privacy technologies protect internet users from unscrupulous business practices of some internet providers who for instance sell browsing data to third-parties for Ad targeting without their consent.

Privacy and online security are big topics right now for users and it’s likely that there’s no way of stopping privacy-focused technologies such as DoH/DoT from going mainstream.

Image: Pixabay