DNS over HTTPS (DoH) is a relatively new protocol that encrypts domain name system traffic by passing DNS queries through a Hypertext Transfer Protocol Secure encrypted session. DoH seeks to improve online privacy by hiding DNS queries from view.
DoH works similarly to DNS, but HTTPS sessions keep the requests and minimize the information exchanged during queries. Web browsers, like Mozilla's Firefox, Microsoft's Edge and Google's Chrome, all have the capabilities to use encrypted DoH with the goal of increasing data privacy and security for users.
How DOH works
In order to understand how DoH works, it is necessary to first understand how regular DNS works. Websites are hosted on web servers, and every web server -- or site on a server -- has an associated Internet Protocol (IP) address. For a browser to access a website, it must first determine the site's IP address, which is where DNS is important. A DNS server's job is to convert a hostname, such as https://whatis.com, into an IP address.
When users enter a hostname into their browser, the request is sent to a recursive resolver, which then passes the request to a root name server -- if the resolver does not already know how to resolve the query. A root name server handles top-level domains, such as .com, .org and .edu. The root server then sends the address of the appropriate top-level DNS server back to the resolver. If, for example, the user was trying to access a .com site, then the root DNS would provide the address associated with the .com top-level domain server.
At this point, the resolver sends its request to the top-level domain server, and the top-level domain server responds with the IP address of the DNS server that handles the requested domain. The resolver then sends the request to this DNS server, which returns the IP address of the website that the user is trying to access. The browser is then able to issue an HTTP or HTTPS request to that IP address to access the website that the user requested. In some cases, caching enables this process to be shortcut, but this is the essence of how normal DNS works.
DoH works in essentially the same way, but there are two key differences. The first -- and most obvious -- difference is that the DNS requests are encapsulated within an HTTPS session, rather than the browser making an HTTP request as has been done in the past. Like HTTPS web traffic, these requests are sent over port 443. It is worth noting that, for DoH to work, both the browser and the DNS server must support DoH.
The other key difference between standard DNS and DoH is that DoH seeks to minimize the information that is transmitted during the various DNS queries. It does this by transmitting only the portion of the domain name that is necessary to complete the current step in the name resolution process rather than sending the full domain name that the user's browser is trying to resolve. For example, the DNS root does not need to know that the user's browser is trying to resolve https://whatis.com. It only needs to know that the browser is trying to resolve a .com address.
Benefits of DoH
There are several possible benefits to using DNS over HTTPS. The primary benefit is that encrypting DNS name resolution traffic helps to hide your online activities. When users enters a URL into their browser, a DNS query is typically needed in order to resolve the domain portion of the URL into an IP address. While it may be tempting to think of this name resolution request as being sent directly to a DNS server, the reality is that, unless a DNS server exists on the local network, the name resolution request has to pass through the internet service provider's network and through any routers that exist between the ISP and the DNS server. The name resolution request is visible at any one of these hops. This means, for instance, that an ISP can see exactly which sites are being visited, simply by monitoring DNS name resolution requests. DoH hides the name resolution requests from the ISP and from anyone listening on intermediary networks.
DoH also helps to prevent DNS spoofing and man-in-the-middle (MitM) attacks. In other words, because the session between the browser and the DNS server is encrypted, nobody can alter the resolution request results to point the user's browser toward a fraudulent website.
Criticism and controversy
DNS over HTTPS has drawn sharp criticism. Vocal opponents of DoH, such as Comcast, have shared concerns that DoH would concentrate most of DNS data with Google, giving it control of internet traffic routing and access to large amounts of consumer and competitor data.
DoH can also be problematic in the enterprise. Enterprises sometimes monitor DNS requests to block access to malicious or inappropriate sites. DNS monitoring can also sometimes be used to detect malware that is attempting to "phone home." Because DoH encrypts name resolution requests, it creates a security monitoring blind spot.
DoH on web browsers
Despite the controversy surrounding DoH, the protocol is becoming widely supported by web browsers. Mozilla announced on Feb. 25, 2020, that its Firefox browser is now DoH-enabled. It is worth noting that Firefox passes all DoH traffic through Cloudflare by default.
Recently, Microsoft replaced its Edge browser with a completely redesigned version that is based on Google's Chromium. According to Microsoft, the Edge browser and the Windows core networking stack will eventually support DoH. While it is currently possible to use DoH with the Chromium-based Edge browser, doing so requires a hidden configuration option to be enabled.
Google Chrome also supports DoH, although DoH support is not enabled by default. Once enabled, Chrome attempts to use the same DNS servers that it had been previously configured to use. If those DNS servers support the use of DoH, then name resolution requests will be encrypted. Otherwise, Chrome will resort to using unencrypted DHS traffic.