Encrypting DNS traffic on Linux with DoT

Curious Looks

DNS over HTTPS (DoH) is an established, practical method of Domain Name System (DNS) encryption [1]. The standard, which dates back to 2018, encrypts DNS traffic within the HTTPS protocol, which means DNS traffic uses the same network port (tcp/443) as HTTPS. As a result, administrators initially have no way of distinguishing between DNS and HTTPS traffic. The standard is now supported by most web browsers, as well as Windows 11, and a number of public DNS servers also speak this protocol [2].

DNS over TLS (DoT) was standardized two years earlier in RFC 7858 [3]. As the name suggests, the DNS traffic is encrypted directly above the User Datagram Protocol (UDP), without needing another protocol in the application layer, making it easier for DNS providers to support this standard because they don't have to implement the fairly complex HTTP protocol on the DNS server. However, as with HTTPS, a public key infrastructure (PKI) is required; the DNS server must offer an X.509 certificate as soon as a client establishes a connection with DoT to any server supporting the standard.

DoT uses a dedicated network port (tcp/853) so that, unlike DoH, it is possible for administrators to identify DNS traffic on the network and filter it, if necessary.

Querying a Recursive DNS Server

The DNS dig utility makes it easy to formulate a manual query to a recursive DNS server. The server then takes care of providing a response by sending the query to the DNS server ultimately responsible for the domain in question, starting with the DNS root servers. To safeguard the request with TLS, you can use the +tls-ca option when calling dig. In the example here, I used the public DNS server (1.1.1.1) operated by

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus