Give us a call: (800) 252-6164

What Is DNS Over HTTPS & How Do I Use It In 2024?

March 31, 2023 | By David Selden-Treiman | Filed in: DNS.

The TL-DR

DNS Over HTTPS (DoH) is a protocol that encrypts DNS queries by sending them within HTTPS traffic, enhancing privacy and security while browsing the internet.

Introduction

In today’s internet-connected world, we rely heavily on the Domain Name System (DNS) to help us access websites and services. DNS acts as the internet’s phone book, translating human-readable domain names like “example.com” into IP addresses that computers can understand. This process is essential because it makes browsing the web a lot easier for users, who would otherwise have to memorize complex IP addresses for each website they want to visit.

However, traditional DNS comes with its own set of vulnerabilities, such as privacy concerns and security risks. These issues arise because DNS requests are typically sent in plaintext, which leaves them exposed to potential eavesdropping, DNS spoofing, and man-in-the-middle attacks.

To address these challenges, DNS Over HTTPS (DoH) was introduced as a more secure and privacy-focused alternative to the traditional DNS protocol. DoH works by encapsulating DNS requests within HTTPS traffic, thereby providing encryption and protecting the data from prying eyes. This added layer of security helps keep your browsing activity private and makes it much more difficult for bad actors to tamper with DNS records or intercept your internet traffic.

How Does DNS Over HTTPS Work?

HTTPS

DNS Over HTTPS (DoH) builds upon the foundation of HTTPS, which is the secure version of the widely used Hypertext Transfer Protocol (HTTP). HTTPS ensures that data exchanged between a client and a server is encrypted, making it much more difficult for unauthorized parties to access or manipulate the information. DoH takes this concept and applies it to DNS queries, resulting in a more secure way of handling DNS requests.

DNS Over HTTPS Mechanism

The mechanism of DoH is quite straightforward. When you enter a website URL in your browser, instead of sending a traditional DNS query, the DoH client sends the query as an HTTPS request. This request is then encrypted and sent to the DoH server, which processes the DNS query and returns the corresponding IP address as an HTTPS response. This entire process is encrypted, ensuring that your DNS queries remain private and secure.

Benefits Over Traditional DNS

Using DoH offers several advantages over traditional DNS. The encrypted communication provides increased privacy, as your browsing activity is no longer visible to potential eavesdroppers or intermediaries, such as Internet Service Providers (ISPs). Additionally, DoH can help bypass DNS-based content filtering or censorship, as the encrypted DNS queries are harder to monitor or block.

Implementing DNS Over HTTPS

Browser Implementation

Implementing DNS Over HTTPS (DoH) has become increasingly accessible, thanks to growing support from various browsers, operating systems, and public DoH providers. Many popular browsers, such as Firefox, Chrome, and Edge, have integrated DoH capabilities, allowing users to easily enable the feature and choose their preferred DoH provider. Operating systems like Windows, macOS, and Linux have also started to support DoH, making it possible to apply this secure protocol system-wide, rather than just on a per-browser basis.

Public DNS Over HTTPS Servers

When it comes to DoH servers, you can choose from a variety of public DoH providers, such as Google, Cloudflare, and Quad9. These providers offer reliable and secure DoH services that can be used without much configuration. Alternatively, if you prefer to have more control over your DNS infrastructure, you can set up your own DoH server using open-source solutions like dns-over-https, dnsdist, or Nginx.

Configuring DNS Over HTTPS

Configuring DoH is generally a straightforward process. For browsers, you’ll typically find the option to enable DoH within the settings menu, where you can also choose your preferred DoH provider. To set up DoH on an operating system level, you’ll need to follow specific instructions for your OS, which may involve editing configuration files or using third-party tools. When selecting a DoH provider, it’s essential to consider factors such as privacy policies, server locations, and performance to ensure you’re making the best choice for your needs.

Setting Up Nginx for DNS Over HTTPS

Setting up Nginx as a DNS Over HTTPS (DoH) gateway can be a great way to gain more control over your DNS infrastructure while ensuring the privacy and security of your DNS queries. Here’s a step-by-step guide on how to configure Nginx as a DoH gateway:

Install Nginx

First, ensure you have Nginx installed on your server. If you don’t already have it installed, you can follow the official Nginx installation instructions for your operating system.

Obtain an SSL/TLS Certificate

To use DoH, you’ll need a valid SSL/TLS certificate for your domain. You can either purchase one from a Certificate Authority (CA) or obtain a free certificate from Let’s Encrypt. If you choose Let’s Encrypt, you can use the Certbot tool to automate the process of obtaining and renewing your certificates.

Install and configure dnsproxy: Nginx doesn’t support DoH natively, so you’ll need to use a DNS proxy like dnsproxy to handle DoH requests. Install dnsproxy on your server and configure it to listen for incoming DNS-over-HTTPS requests on a specific port (e.g., 8053). Make sure to set the upstream DNS resolver to a trusted DNS server, such as Google Public DNS (8.8.8.8) or Cloudflare DNS (1.1.1.1).

Configure Nginx

Now, you’ll need to configure Nginx as a reverse proxy to forward DoH requests to dnsproxy. Create a new Nginx server block or modify an existing one to include the following settings:

server {
    listen 443 ssl http2;
    server_name doh.example.com;  # Replace with your domain name

    ssl_certificate /path/to/fullchain.pem;  # Replace with the path to your SSL/TLS certificate
    ssl_certificate_key /path/to/privkey.pem;  # Replace with the path to your private key

    location /dns-query {
        proxy_pass http://127.0.0.1:8053;  # Replace with the IP address and port where dnsproxy is listening
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Make sure to replace the placeholders (domain name, certificate paths, and proxy_pass address) with the appropriate values for your setup.

Restart Nginx

Save the configuration and restart Nginx to apply the changes. You can typically do this by running the following command:

sudo systemctl restart nginx

Test your DoH gateway

Once everything is set up, you can test your new DoH gateway using a DoH client like curl:

curl -H 'Content-Type: application/dns-message' --data-binary @query.bin https://doh.example.com/dns-query > response.bin

Replace “doh.example.com” with your domain name and ensure that you receive a valid DNS response.

By following these steps, you’ll have a functional Nginx-based DoH gateway that can handle encrypted DNS queries, providing you with greater privacy and security while browsing the web.

Potential Drawbacks of HTTPS

While DNS Over HTTPS (DoH) offers enhanced security and privacy for your browsing experience, it’s essential to be aware of some potential drawbacks and concerns you might encounter.

Centralization

One concern is the centralization of DoH services. With a limited number of public DoH providers, there’s a risk of concentrating too much control in the hands of a few organizations. This could potentially impact privacy and net neutrality in the long run. As you choose a DoH provider, it’s crucial to evaluate their privacy policies and track records to ensure you’re making an informed decision.

Bypassing Local DNS Policies

Another potential issue is that DoH can inadvertently bypass local DNS policies. For example, in corporate or educational networks, administrators might have implemented specific DNS-based restrictions or filtering to maintain security and compliance. Similarly, parents might use DNS-based parental controls to protect their children from inappropriate content. By using DoH, you could bypass these measures, which might lead to conflicts or unintended consequences. It’s essential to consider the context in which you’re using DoH and make sure you’re not violating any rules or policies.

Performance

Lastly, performance could be a concern when using DoH. The encryption and decryption process can introduce some additional latency to your DNS queries, potentially impacting browsing speed. Moreover, the server load and capacity of your chosen DoH provider can also influence performance. To minimize these issues, you may want to test different DoH providers and select one that offers the best balance between privacy, security, and performance for your specific needs.

Alternatives to DNS Over HTTPS

As you explore secure DNS solutions, it’s important to know that there are alternatives to DNS Over HTTPS (DoH) that provide similar security and privacy benefits. These alternatives can be helpful if you’re looking for a different approach to protect your DNS queries.

DNS Over TLS

One such alternative is DNS Over TLS (DoT). Like DoH, DoT encrypts DNS traffic between the client and the server. However, instead of using HTTPS as the transport mechanism, it relies on the Transport Layer Security (TLS) protocol. The main differences between DoH and DoT are related to their implementation and transport methods. While DoH hides DNS traffic within regular HTTPS traffic, making it harder to detect, DoT uses a dedicated port (port 853), which makes it more straightforward for network administrators to manage and filter if needed.

DNSCrypt

Another option is DNSCrypt, which also focuses on encrypting DNS traffic between the client and the server. While it predates both DoH and DoT, it’s not as widely adopted. DNSCrypt uses its own protocol and a unique set of encryption methods, but like DoH and DoT, it aims to enhance the privacy and security of DNS queries.

DNS Over QUIC

More recently, DNS Over QUIC (DoQ) has emerged as a protocol that combines DNS with QUIC. QUIC is designed to improve upon the performance of traditional transport protocols like TCP and TLS, especially in situations with high latency or packet loss. By combining DNS with QUIC, DoQ aims to provide the security and privacy benefits of DoH and DoT while potentially offering improved performance and connection reliability.

Conclusion

In conclusion, securing your DNS traffic is an essential aspect of maintaining your online privacy and security. DNS Over HTTPS (DoH) is a valuable solution that can protect your DNS queries by encapsulating them within encrypted HTTPS traffic. However, as you evaluate your options, remember that there are alternatives to DoH, such as DNS Over TLS (DoT), DNSCrypt, and the more recent DNS Over QUIC (DoQ), each offering its own set of benefits and trade-offs.

As you explore these secure DNS options, it’s crucial to consider factors like privacy, security, performance, and compatibility with your existing infrastructure. Understanding the potential drawbacks and concerns associated with each solution will help you make informed decisions and choose the best approach for your specific needs. By taking the time to research and implement a secure DNS solution, you can significantly enhance your online security and privacy, making your browsing experience more enjoyable and worry-free.

David Selden-Treiman, Director of Operations at Potent Pages.

David Selden-Treiman is Director of Operations and a project manager at Potent Pages. He specializes in custom web crawler development, website optimization, server management, web application development, and custom programming. Working at Potent Pages since 2012 and programming since 2003, David has extensive expertise solving problems using programming for dozens of clients. He also has extensive experience managing and optimizing servers, managing dozens of servers for both Potent Pages and other clients.


Tags:

Comments are closed here.

What Is The Best Web Hosting Provider?

Finding the best web hosting provider for your needs is an important step in optimizing your website. There's a lot to consider. Here are our basic recommendations:

Simple Websites

For simple websites, you have a lot of options. Most web hosts will do acceptably for a simple small-business website or blog.

That said, we recommend avoiding website builders so that you maintain control of your website.

VPS Hosting

If you just need a simple VPS, most providers will work well. Different providers have different downtimes, but the big differentiators are cost.

Providers like AWS and Google Cloud tend to be much more expensive than more specialized providers.

We recommend Digital Ocean and Hetzner if you're looking for a good VPS provider at a good price (it's what we use.)

High Performance Hosting

If you're looking for high performance web hosting, you're going to need something more specialized.

You can't just expect a simple cPanel host to give you what you'll need. You need a custom configuration.

Generally, you'll need either a managed host, or you'll need to get your servers configured with custom configurations.

If you're looking for a high performance hosting provider, we offer hosting designed for high-availability and high-traffic.

WordPress Hosting

What WordPress Hosting Should You Get?

There are many considerations when getting a WordPress hosting provider. Focus on the performance needs of your website.

WordPress Hosting Setup

When setting up your WordPress hosting, or switching hosts, there are a number of steps to complete. These include:

WordPress & Security

There are a number of WordPress security threats to contend with. We recommend using a plugin like WordFence to help secure your site.

WordPress Backups

Make sure to also back-up your site. It's absolutely essential, and ideally use an off-site backup provider that's different from your hosting provider.

WordPress Speed Improvements

There are a number of ways to improve the speed of your WordPress site on its hosting.

There are a number of plugins that can help improve your site's speed.

DNS

DNS Records

There are many different types of records, each with their own purpose. These include: SOA, A, TXT, CNAME, PTR (reverse DNS), and more. On some servers, you can also set up wildcard records.

The records you need will depend on what you're doing; WordPress sites require different records than mail servers, for example.

Propagation

The process of your records transmitting to DNS servers around the world is called propagation. It normally takes 48 hours, but you can speed it up a bit with some planning.

Testing

To test your DNS records, there are 2 main tools: dig and nslookup. Each is very helpful in its own specialty.

Reliability & Security

There are a number of ways to improve your DNS reliability and security.

  • Split Horizon allows you to separate networks, either for intranets or for separating by geographic region.
  • GeoDNS allows you to give different records to different locations based on the requesting IP address. This allows you to create your own CDN, speeding up your site.
  • DNS over QUIC speeds up your DNS requests and gives you better DNS security by encrypting your DNS connection.
  • DNSSEC allows you to sign and encrypt your DNS connection, ensuring that nobody is changing your records.
  • DNS over HTTPS allows your visitors to request your DNS records over an encrypted connection.

Internationalized Domains

Internationalized domain names allow character encodings other than Latin characters. They have their own methods for backward compatibility.

Scroll To Top