From the end of February, Mozilla is pushing DNS over HTTPS (DoH). It is to be the default option in your Firefox browser. Google also is a big part of this movement. It sounds like a great way to fix a very old system like the DNS, but does it really work well?
Typical DNS query
You are probably familiar with DNS and how it works. When you make a request for a domain, the query travels through the Internet until it finds a DNS resolver that knows the location of the domain. Later it sends back the information. Usually, it uses a TCP or UDP protocol for that. Now DNS over HTTPS, as the name suggests, will do it over HTTPS.
DNS over HTTPS (DoH)
DoH wants to secure the packets by implementing encryption. Your query will go encrypted and only the DNS resolver that you have specified will be able to understand your query. The query will be encrypted in HTTPS instead of just as a text.
Among the list of companies that offer this kind of DNS resolving are: Google, Cloudflare, LibreDNS, AdGuarnd, and more. Full list HERE.
Popular browsers that currently support it are Google Chrome and Mozilla Firefox.
You can agree that this way your DNS query will be hidden and your Internet Service Provider won’t know what you are watching and when. The ISP won’t be able to use this information and sell it to others.
The problems with DNS over HTTPS are not few and they are important.
Your DNS query will be in the hands of a few big companies that can resolve DoH queries. In the case of Mozilla, they have a guideline for partners but no way to directly control this. Currently, they are working with Cloudflare as a default choice.
Another problem is that based on the RFC 8484 it is not mentioned whether the traffic after the DoH DNS resolver is encrypted too or not.
It will make the life of network administrators harder. It will bypass the local network policies and will enable access to previously blocked sites. That means that employees could get malware or enter shady sites without any filter inbetween.
DoH has the tendency to be slower than a traditional DNS. The difference is not significant. It can hide all the traffic, so criminals can go unnoticed. Their traffic will be hidden, just like anyone else’s.
Who is against it?
There are many organizations that don’t support it for various reasons. Let’s take a look at 3 companies and their reasoning:
- Cisco is against this new standard. The company states that it does not allow Cisco Umbrella to work properly. Cisco’s team is convinced that their product is better for enterprises.
- Comcast also disagrees. Their team believes it will cause a national security risk.
- Internet Watch Foundation claims that the lack of filters can expose plenty of people to disturbing content that they would otherwise not see.
What should you do?
There is not an easy answer. You should make a decision by yourself.
On the one hand, if you don’t want to use it, you can opt-out from the settings of your browser.
For Mozilla Firefox you can do the following: Go to “Menu”, then “Options”. Go to “General” and in the part of “Network Settings” click “Settings”. There you have “Enable DNS over HTTPS” you can remove it.
For Google Chrome: Type “chrome://flags/#dns-over-https” in the browser and then disable it.
For other browsers, you can search in the options where the network settings are.
On the other hand, if you think it is a good step forward, you can check if your browser uses it by default or you can enable it.