DNS over HTTPS

DNS over HTTPS is a protocol for performing remote Domain Name System resolution using the HTTPS protocol. This method aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data through man-in-the-middle attacks. It was standardized in RFC 8484 by the Internet Engineering Task Force and is a key component in the broader movement toward encrypting internet traffic. Major technology companies, including Google and Mozilla, have been instrumental in its development and deployment.

Overview

The traditional Domain Name System operates primarily over UDP or TCP in plaintext, making queries and responses visible to network observers. DNS over HTTPS encapsulates these queries within HTTPS sessions, leveraging the same Transport Layer Security encryption used by secure websites. This approach is part of a suite of encrypted DNS protocols, alongside DNS over TLS, championed by organizations like the Internet Society. The primary motivation is to protect against pervasive monitoring, a concern highlighted by revelations from Edward Snowden regarding surveillance programs like PRISM.

Technical details

A client implementing the protocol makes a HTTP request using the POST or GET method to a dedicated resolver over a standard HTTPS port. The DNS query is encoded in DNS wire format and transmitted within the HTTP message body or as a parameter. The resolver, often operated by entities like Cloudflare or Google Public DNS, processes the query and returns the DNS response similarly encapsulated. This process relies on the existing Public key infrastructure and Certificate authority system to authenticate the resolver, ensuring the connection is not intercepted by a malicious actor.

Privacy and security implications

By encrypting DNS traffic, the protocol significantly hinders Internet service providers, Wi-Fi hotspot operators, or government agencies from easily logging or filtering which websites a user visits. This enhances protection against DNS hijacking and certain forms of censorship, such as those practiced by the Great Firewall in China. However, it also centralizes query data with the chosen HTTPS resolver, potentially creating new privacy custodians like Cloudflare or Quad9. This shift has sparked debate about the balance between user privacy and the operational needs of network administrators for security monitoring.

Adoption and implementation

Major web browsers were the early adopters, with Mozilla enabling it by default in Firefox and Google doing the same in Google Chrome. Operating system support followed, with implementations in Microsoft Windows, Apple's macOS, and Google's Android. Public resolvers from Cloudflare, Google Public DNS, and the Quad9 consortium offer the service globally. The protocol's rollout has sometimes faced resistance from Internet service providers and institutions like Comcast or enterprise networks, leading to configurations that allow disabling the feature via mechanisms like Canary domain testing.

Criticism and concerns

Critics, including some members of the Internet Engineering Task Force and network operators, argue that the protocol can complicate network management, parental controls, and malware detection by bypassing local DNS filters. There are concerns about consolidating vast amounts of query data with a few large technology companies, potentially creating attractive targets for agencies like the National Security Agency. Furthermore, some nations may view widespread encryption as an obstacle to law enforcement, echoing tensions seen in debates around the FBI–Apple encryption dispute.