Security: DNS over HTTPS

Posted in Security on 25 February 2020

Whenever you visit a website, even if you are using a site with SSL, the DNS query that converts the web address into an IP address will be sent unencrypted.

DNS over HTTPS (DoH) has emerged as a contentious topic in the realm of internet privacy and security. This protocol, which encrypts DNS queries within HTTPS connections, offers several advantages and disadvantages that merit careful consideration.

Enable DNS over HTTPS

The process works by using third parties to query the URLs. Companies such as Cloudflare and NextDNS are part of the set-up in Firefox and process the DoH queries. From the end of February 2020 Firefox will enable DoH by default for users in the United States.

In the UK, GCHQ has issued a warning about the plans for DoH by default for new encrypted browsers, saying it could increase the risk of cyber-attacks and impede police investigations.

DoH, when enabled, ensures that your internet service providers cannot collect and sell personal information related to your browsing behavior. However, only certain parts of the DNS lookup process are encrypted, and ISPs will still be able to see which IP addresses their users are connecting to.

Why you should switch to DNS over HTTPS

Enhanced Privacy: One of the primary benefits of DNS over HTTPS is its ability to enhance user privacy. By encrypting DNS queries, DoH prevents third parties, such as Internet Service Providers (ISPs) and malicious actors, from monitoring or intercepting users’ browsing habits and DNS requests. This helps mitigate the risk of surveillance and data collection by unauthorized entities.

Improved Security: DoH strengthens the security of DNS communications by adding an additional layer of encryption. Traditional DNS queries are sent in plaintext, making them susceptible to eavesdropping and spoofing attacks. With DoH, DNS traffic is encrypted using the same secure HTTPS protocol used for web browsing, reducing the risk of DNS-based attacks and tampering.

Bypassing DNS Manipulation: In regions where DNS manipulation or censorship is prevalent, DoH can help users circumvent restrictions imposed by ISPs or government entities. By encrypting DNS queries, users can access blocked websites and services more reliably, safeguarding their freedom of expression and access to information.

DNS Integrity: DoH can enhance DNS integrity by mitigating the risk of DNS spoofing and cache poisoning attacks. By encrypting DNS queries and responses, DoH helps ensure that users receive accurate and untampered DNS information, reducing the likelihood of malicious redirections or phishing attempts.

Cross-Platform Compatibility: DoH is supported by major web browsers and operating systems, making it accessible to a wide range of users without the need for additional software or configuration. This seamless integration enables users to benefit from enhanced privacy and security without significant effort or technical expertise.

Things to be aware of

Centralisation of DNS Resolution: One of the primary concerns surrounding DoH is the potential centralisation of DNS resolution. By default, DoH relies on a small number of DNS resolvers operated by major technology companies, leading to a concentration of DNS traffic and control in the hands of a few entities. This centralisation raises questions about data privacy, accountability, and potential abuse of power.

Network Management Challenges: DoH can pose challenges for network administrators and ISPs tasked with managing network traffic and enforcing security policies. Since DoH encrypts DNS queries, it becomes more difficult for network operators to inspect and filter DNS traffic for security threats or policy compliance. This loss of visibility and control can hinder network management efforts and increase the risk of security incidents.

DNS Caching and Performance: While DoH offers enhanced privacy and security, it may impact DNS caching and resolution performance compared to traditional DNS protocols. Encrypted DNS queries and responses may incur additional latency and overhead, particularly in environments with high DNS query volumes or limited network bandwidth. This could result in slower DNS resolution times and degraded user experience, especially in resource-constrained environments.

Potential for Abuse: While DoH helps protect users’ privacy and security, it may also be used for malicious purposes, such as evading network security controls, bypassing content filters, or facilitating illicit activities. The anonymity and encryption provided by DoH can make it challenging for security professionals to detect and mitigate DNS-based threats effectively, potentially exacerbating cybersecurity risks.

Compatibility Issues: Despite increasing adoption, DoH may encounter compatibility issues with legacy systems, network infrastructure, and security appliances that rely on traditional DNS protocols for traffic analysis and filtering. Organisations and individuals migrating to DoH must carefully assess compatibility requirements and potential interoperability challenges to ensure a smooth transition without disrupting critical services or compromising security posture.


DNS over HTTPS offers compelling benefits in terms of privacy, security, and accessibility, but it also presents significant challenges and considerations that warrant careful evaluation.

By weighing the pros and cons of DoH and adopting appropriate safeguards, users and organisations can leverage this technology to enhance their online experiences while mitigating potential risks and vulnerabilities.

Enabling DNS over HTTPS

Unless you live in the United States and are using Firefox DoH will not be turned on by default, however, it is currently available as an option in most popular browsers.

Mozilla Firefox

  • Go to Settings (about:preferences) scroll down to Networking
  • Check the Enable DNS over HTTPS option
  • Select either of the DNS servers, or enter your own.

Microsoft Edge *

Opera

Brave *

Vivaldi *

Google Chrome *

* DNS Servers

Edge, Brave, Vivaldi and Google Chrome require an additional step before DoH is enabled.

Currently, even with DoH enabled these browsers will only send encrypted HTTP requests if the DNS server is able to process them. If not it will continue to send requests unencrypted.

Related Security Posts

March 2024

PHP Security in 2024: navigating the evolving landscape

As PHP continues to evolve, so do the threats that target its vulnerabilities. Ensuring robust PHP security practices is paramount to safeguarding sensitive data and... Continue reading

July 2023

How to secure WordPress in 2023?

Securing a WordPress website involves a combination of practices, including using secure hosting configurations, regularly updating WordPress and its plugins/themes, and implementing strong security measures.... Continue reading

February 2022

ProtonMail secure email

ProtonMail is an encrypted email service that takes a radically different approach to email security. In 2014 the Swiss company **[ProtonMail](https://protonmail.com/)** became the first email... Continue reading

More Security Posts