$_ BSDHowTo.ch
How To... Why not..? Scripts RSS logo

Why not use DNS over HTTPS (DoH)?

Last update: 2018-10-01


DoH is not about protecting your DNS queries from peepers. That is a big lie. It is about making sure only one peeper can see all of your queries.

What is DNS over HTTPS (DoH)?

DNS over HTTPS is described in a RFC draft as a way perform DNS by wrapping it in HTTP and additionally encrypt the data using TLS. Advocates of DoH stress that the transport encryption protects your DNS queries from peepers like your ISP or your network admin at work. Adversaries critic that all DNS queries are directed to single DNS provider who becomes the one known peeper.

The basic idea

The basic idea behind new developments like DoH is to protect your DNS queries from peepers by implementing transport encryption. The same type of transport encryption that protects many other application protocols like HTTP and SMTP. This is a very good idea because DNS queries in clear text contain very interesting metadata about the sites you communicate with over the Internet. This can be useful information for any kind of bad guy, be it the NSA or the cybercriminal.

DoH encrypts, so it must be a good thing

The public didn’t care about this RFC draft until Mozilla announced that they implement this new protocol in Firefox for broad field testing in collaboration with Cloudflare. The first reactions to this were: “DNS gets encryption? This must be good thing.” But slowly people started to realize what the collaboration between Mozilla and Cloudflare really means: Cloudflare gets all your DNS queries.

But Cloudflare has a data protection policy

So what? Cloudflare is a commercial company. And commercial companies, by definition, must earn money . How does a modern company in the IT business earn money? By selling data.

Is there an alternative way?

Yes, there is. It is called DNS over TLS and is specified as a proposed standard in RFC 7858. This provides transport encryption to DNS without abusing HTTP as transport protocol.