DoH or DNS Queries over HTTPS is a protocol proposed to change the way DNS resolutions are transported. Rather than using DNS over UDP (as default), over TCP or over TLS, here the protocol used to transport DNS exchanges is the HTTP protected in a TLS session. It is proposed as a standard in RFC8484 of the IETF. This protocol has been mostly pushed by browser companies dissatisfied with the way DNS was offering protection of the transport layer. As they wanted to put something in place very quickly, they invented this new transport method.
The main interest of this approach is to use a different recursive server from the one provided by either the ISP or the Enterprise the client is sitting in. Since the HTTPS protocol is most likely to be authorized to cross perimetric security devices and since the content is not analyzed in most cases, it is able to transport also DNS traffic. Unfortunately, this takes away the capability of the traffic being filtered by either government regulation or enterprise security policy. From a practical standpoint, DNS traffic transported within HTTPS sessions is undetectable since it is similar to HTTP traffic, particularly if the web server is also hosting the DoH service.
Mainly used in browser (and malwares), this solution no longer relies on the standard system resolution librairies, and does not take advantage of local network DNS caching proposed by internal resolvers. Its usage raises many questions on security and privacy since DoH providers are able to see and analyze the entire traffic of each user – which represents a very valuable set of data.
DoH in a nutshell:
- DoH secures the DNS transaction with the first DNS trusted resolver
- DoH runs over HTTP at the application level, secured by TLS
- Each application can use a different DoH provider, bypassing system configuration
- DoH can leverage existing technologies like caching and proxying
- DoH service can be proposed by external providers, it is no longer a network service proposed locally, near the client
- DoH can go through most installed security systems (eg firewall)
- DoH can bypass regulation in place by enterprise, service provider or government
- DoH moves the data linked to application usage to a provider that will make good use of the information
- DoH does not handle the local traffic and internal domain names, for those purposes application needs to implement a “normal” DNS fallback