The Serpent

// Cursing the Internet since 1998

DNS over HTTPS or DNS over TLS?

Posted September 23, 2019 Infosec Networking
DNS over HTTPS or DNS over TLS?

As we roll on towards the year 2020, into a new decade of opportunity, excitement and hopefully reward, it seems like a good time to review your security and privacy practices within your digital life. After all, practicing good security is a process, requiring constant improvement.

One sticking point of modern internet access is the DNS protocol. For years it’s remained largely in plaintext, acting as an ever-growing phone book of hostnames. It’s a weak link when it comes to privacy, because it contains clear text hostnames of all the websites you’re visiting. Anyone on the wire (Government, ISP, neighbour connected to Wifi etc) can possibly snoop your DNS traffic.

The start of 2016 saw changes coming. DNS needed encryption, but the operating systems were slow to respond, in a usual chicken and egg scenario, the likes of Apple and Microsoft didn’t want to invest in a protocol that wasn’t complete. Fortunately those with commercial interests in preventing MITM (Man in the Middle) attacks stepped in to change all that.

Today, we now have a few providers of encrypted DNS. But there are two standards making waves on the Internet today, and they can be a little confusing. As ever, Wikipedia summarises the current state of public DNS resolvers quite nicely.

The two almost conflicting ways to deliver encrypted DNS are DNS over HTTPS (DoH) and DNS over TLS (DoT). They aren’t in exactly in competition, but it’s worth looking at what they each have to offer.

DNS over TLS (DoT)

I’ll start with DoT, not only did it come first, but because sharp-eyed readers will note that DNS over HTTPS already encompasses TLS, so why add an additional layer? This method is the most streamlined in my opinion. A simple protocol, wrapped in strong encryption, what’s not to like?

Detailed in RFC 7858, adoption has been slow but steady. Today the main providers such as Google, Cloudflare and Quad9 all have DNS resolvers online which can serve requests via this protocol. DoT also runs on a dedicated port (port TCP/853), away from the standard UDP/53, so it can blend in to look like regular TLS traffic, while still being recognised as DNS. For you security folk out there, this highlights the importance of checking destination categories, in order to prevent exfiltration attacks.

The Good:

  • It’s DNS wrapped in TLS, that’s as simple as it gets.
  • It utilises a dedicated TCP port, so DNS traffic can be identified, but not necessarily intercepted
  • DoT can take advantage of TLS session reuse, reducing the amount of DNS connections required

The Bad:

  • Content filtering solutions need to support DNS over TLS in order to act upon policy
  • Support has been slow, with only Android adopting it natively within the OS (as of version 9 “Pie”)

DNS over HTTPS (DoH)

This one is a little harder to explain its existence. Defined later in 2018 via RFC 8484, DoH requires an additional step. First the DNS message is wrapped into a HTTP/2 stream, which is then encrypted with TLS. The benefit is that these HTTPS resolvers all run on port 443, and therefore blend in with all normal HTTPS traffic. It makes it impossibly hard to filter DNS. Great if you’re under the control of an oppressive government; not so great if you’re monitoring malware C2C traffic within your organisation.

The Good:

  • From a privacy perspective, it’s hard to distinguish DoH from regular HTTPS, making it hard for third parties to manage DNS
  • Uses port 443 which is generally open within most organisations
  • HTTP/2 provides a push mechanism which allows DNS servers to push additional responses which may be of use to the client (i.e. a type of DNS pre-fetching)

The Bad:

  • Uses port 443 (yes we know it’s also good) which means it can potentially be used for data exfiltration if not inspected
  • Defines a new content type: “application/dns-message”, which can be inspected and blocked (requires interception of DoH)
  • The overhead of DNS + HTTP/2 + TLS makes it a somewhat bulky means of performing DNS

As you can see, there’s good and bad to both methods. I’ve generally leaned more towards DoT in my day to day life (again, thanks Android!) but with support for both protocols from all the major providers of DNS, it’s clear both will be around for a while to come yet. You can easily play with DoH using Google’s human-friendly front end to obtain JSON results (think of the awesome things you could code to make use of this service!): https://dns.google.

Get your hands on some DoT

It’s easy to get started with DoT if you have a Linux box nearby, grab the latest package containing knot-dnsutils and then execute the following:

kdig -d @9.9.9.9 +tls-ca example.com

However until we get more adoption from our native OS vendors, using DoT in your personal life is still somewhat tricky (with the exception of Android). Projects like DNSCrypt and Pi-Hole are working to support it in the near future.