DNS over TLS vs. DNS over HTTPS | Securing DNS

DNS queries are sent in plain text, which means anyone can read them. DNS over HTTPS and DNS over TLS encrypt DNS queries and responses to keep users' browsing safe and private. However, both approaches have their pros and cons.

Why Does DNS Need Additional Security Layers?

DNS is the phone book of the Internet; DNS resolvers translate human-readable domain names into machine-readable IP addresses. By default, DNS queries and responses are sent in plain text (via UDP), which means they can be read by networks, ISPs, or anyone able to monitor transmissions. Even if a website uses HTTPS, the DNS query required to navigate to that website is exposed.

Therefore:

This lack of privacy has a significant impact on security, and in some cases, on human rights; if DNS queries are not private, it becomes easy for governments to censor the Internet and for attackers to track users' online behavior.

Think of a regular unencrypted DNS query like a postcard sent through the mail: anyone who handles the mail might happen to glance at the text written on the back, so it is not wise to send a postcard containing sensitive or private information.

DNS over TLS and DNS over HTTPS are two standards developed to encrypt plain text DNS traffic in order to prevent malicious parties, advertisers, ISPs, and others from being able to interpret the data. Continuing the analogy, these standards aim to put an envelope around all the postcards going through the mail, so that anyone can send a postcard without worrying that someone is snooping on what they intend to do.

What Is DNS over TLS?

DNS over TLS, or DoT, is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications. (TLS is also known as ”SSL.”) DoT adds TLS encryption on top of the User Datagram Protocol (UDP), which is used for DNS queries. Additionally, it ensures that DNS requests and responses are not tampered with or forged via on-path attacks.

What Is DNS over HTTPS?

DNS over HTTPS, or DoH, is an alternative to DoT. With DoH, DNS queries and responses are encrypted, but they are sent via the HTTP or HTTP/2 protocols instead of directly over UDP. Like DoT, DoH ensures that attackers cannot forge or alter DNS traffic. DoH traffic looks like other HTTPS traffic – for example, normal user-driven interactions with websites and web applications – from a network administrator's perspective.

In February 2020, Mozilla Firefox began enabling DoH by default for US users. DNS queries from the Firefox browser are encrypted by DoH and go to NextDNS. Many other browsers also support DoH, although it is not enabled by default.

Wait, Doesn't HTTPS Also Use TLS Encryption? How Are DNS over TLS and DNS over HTTPS Different?

Each standard was developed separately and has its own RFC* documentation, but the most significant difference between DoT and DoH is the port they use. DoT uses only port 853, while DoH uses port 443, which is the port all other HTTPS traffic uses as well.

Because DoT has a dedicated port, anyone with network visibility can see DoT traffic coming and going, even though the requests and responses themselves are encrypted. In contrast, with DoH, DNS queries and responses are disguised within other HTTPS traffic, since they come and go from the same port.

* RFC stands for “Request for Comments,” and an RFC is a collective effort by developers, networking experts, and thought leaders to standardize an Internet technology or protocol.

What Is a Port?

In networking, a port is a virtual location on a device that is open for connections from other devices. Every networked computer has a standard number of ports, and each port is reserved for certain types of communications.

Think of ports like shipping berths in a harbor: each shipping berth is numbered, and different types of vessels are supposed to head to specific shipping berths to unload cargo or passengers. Networks work the same way: certain types of communications are supposed to go to certain network ports. The difference is that network ports are virtual; they are places for digital rather than physical connections.

Which Is Better, DoT or DoH?

This is open to debate. From a network security standpoint, DoT is arguably better. It gives network administrators the ability to monitor and block DNS queries, which is important for identifying and stopping malicious traffic. At the same time, DoH queries are hidden within regular HTTPS traffic, meaning they cannot be easily blocked without also blocking all other HTTPS traffic.

However, from a privacy perspective, DoH is arguably better. With DoH, DNS queries are concealed within the larger flow of HTTPS traffic. This gives network administrators less visibility but provides users with more privacy.

What Is the Difference Between DNS over TLS/HTTPS and DNSSEC?

DNSSEC is a suite of security extensions for verifying the identity of DNS root servers and authoritative name servers in communications with DNS resolvers. It is designed to prevent DNS cache poisoning, among other attacks. It does not encrypt communications. On the other hand, DNS over TLS or HTTPS encrypts DNS queries. 1.1.1.1 also supports DNSSEC.