DoT & DoH

DNS Privacy Features you should be using; Now!

By Keith Thuerk | New to Crypto's? | 25 Jan 2023


DNS Privacy Features you should be using; Now!

DNS is the core network service and overlooking security improvements in the protocol could expose your privacy to unintended parties. Two controversial techniques are currently available to encrypt more of the Internet traffic, recall DNS is insecure because by default DNS queries are not encrypted.

DNS over TLS (Transport Layer Security) or “DoT” is an IETF standard that provides full-stream encryption between a DNS client and a DNS server. Clients and Servers use TCP port 853 to establish a TLS session to secure the DNS traffic.

DNS over HTTPS (DoH) is a second IETF security protocol that addresses DNC client and DNS server communication security. Both DNS over TLS and DNS over HTTPS provide for encryption between the DNS client and the DNS server, enabling data privacy and integrity. However, DoH uses the same TCP port used by other HTTP-S traffic, Port 443.  DoH still lacks a fully defined discovery mechanism, which is being worked on for next release(s).

Sounds great; right? Well it depends on who owns the device and what they are attempting to control and track!

             8914814dad7e27b01ae6f0e4a83d5851c8601b1462094b352577645614465d37.png

Put another way, when used outside of an Enterprise environment, yes these enhancements help secure individuals internet usage. But, on the other hand will hinder Enterprises in their ability to control and audit defenses against Malware!

Browsers - What is supported and as of when?

  • Apple Safari - support for DoT, and DoH since '20
  • Brave - no support for DoT, does for DoH since '22
  • Chrome - no support for DoT, does for DoH since '20
  • FireFox (FF) support for DoT, and DoH since '20
  • Microsofties Edge (based upon Chrome) no support for DoT, does for DoH since '20
  • Opera - support for DoT, and DoH since '20

OS Level

  • Apple was the first to allow DoT and DoH modifications - wreaking havoc on enterprise networks in '21. Apple went all in on encrypting everything DNS related.
  • Microsoft followed in '22 with OS modifications in Windows 
  • Linux - a couple of different ways to enable,  'stubby' for Ubuntu, systemd-resolved for Debian and RHEL

Top DoT resolvers (no charge)

  • 1.1.1.1 - Cloudflare
  • 8.8.8.8 - Google
  • 9.9.9.9 - Quad9

Top DoH resolvers (no charge)

  • 1.1.1.1 - Cloudflare
  • 8.8.8.8 - Google
  • 9.9.9.9 - Quad9

Test your browser

https://1.1.1.1/help (site run and sponsored by CloudFlare)

If you have an enterprise computing asset (laptop/tablet) they might already have these settings turned on that they can control and monitor when and where you visit with their asset. I would not attempt to change pre-defined enterprise settings as that might be a resume generating event. As and individual user you would be sending unencrypted to a centralized resolver. Do you really want to do this (Think DeFi). Spread the love, rotate what DoT/DoH resolver you utilize. 

 

Summary - for individuals enabling DoT and/or DoH this goes a long way for protecting internet privacy. For Enterprises, you need to set up your own internal encrypted DoT and DoH resolvers to prevent a huge layer of defense not being available as malware has already been located utilizing these new DNS encryption techniques! Which will mean if it is a corporate asset you are using and attempting to use your own DoT/DoH enabled settings they might get overwritten by the Enterprise security overlords. No worries, set it up on your personal assets to stay protected.

How do you rate this article?

14


Keith Thuerk
Keith Thuerk

Currently learning about Crypto & DeFi to combat the Inflationary Tidal wave coming our way!


New to Crypto's?
New to Crypto's?

New to Crypto's? What are the key constructs? Best Practices

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.