DNS name resolution with HTTPS

Confidential Game

DoH in Everyday Operations

The popular DNS servers already offer DoH interfaces. If you forward the requests from a proxy web server, you can hide them in your normal HTTPS traffic. Moreover, the classic HTTP Authenticate methods for authenticating clients before they use the DNS server do not work. To implement a modicum of protection for your DoH server, you can adapt the URL for the request. In fact, this allows your HTTP proxy to then address different back-end servers based on the URL and return filtered responses for some users.

Conclusions

The entire Internet communication is built on the DNS system, yet the tried-and-tested service by no means receives the attention it deserves. DoT and DoH change the outlook. This article provides insight into how DNS over HTTPS works. In this case, too, innovation has two sides; you will need to assess the advantages and disadvantages of DoH on individual merit. Common software tools such as web browsers already support it.

Therefore, it is up to you to decide whether to continue using your provider's DNS service, whether encrypted or unencrypted, or whether to switch to a provider with a clear focus on data protection, possibly even including malware protection. As an administrator, you will definitely want to keep an eye open for potentially hidden DoH traffic on your network.

Infos

Censorship-free DNS server by Digitalcourage: https://digitalcourage.de/en
DNS data protection: https://www.cloudflare.com/learning/dns/dns-over-tls/
Cloudflare DNS: https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/
Google DNS: https://developers.google.com/speed/public-dns/
DNS service Quad9: https://www.quad9.net

The Author

Dr. Matthias Wübbeling is an IT security enthusiast, scientist, author, consultant, and speaker. As a Lecturer at the University of Bonn in Germany and Researcher at Fraunhofer FKIE, he works on projects in network security, IT security awareness, and protection against account takeover and identity theft. He is the CEO of the university spin-off Identeco, which keeps a leaked identity database to protect employee and customer accounts against identity fraud. As a practitioner, he supports the German Informatics Society (GI), administrating computer systems and service back ends. He has published more than 100 articles on IT security and administration.

« Previous 1 2