DNS Privacy Features you should be using; Now!
DNS is the core network service and overlooking security improvements in the protocol could expose your privacy to unintended parties. Two controversial techniques are currently available to encrypt more of the Internet traffic, recall DNS is insecure because by default DNS queries are not encrypted.
DNS over TLS (Transport Layer Security) or “DoT” is an IETF standard that provides full-stream encryption between a DNS client and a DNS server. Clients and Servers use TCP port 853 to establish a TLS session to secure the DNS traffic.
DNS over HTTPS (DoH) is a second IETF security protocol that addresses DNC client and DNS server communication security. Both DNS over TLS and DNS over HTTPS provide for encryption between the DNS client and the DNS server, enabling data privacy and integrity. However, DoH uses the same TCP port used by other HTTP-S traffic, Port 443. DoH still lacks a fully defined discovery mechanism, which is being worked on for next release(s).
Sounds great; right? Well it depends on who owns the device and what they are attempting to control and track!
Put another way, when used outside of an Enterprise environment, yes these enhancements help secure individuals internet usage. But, on the other hand will hinder Enterprises in their ability to control and audit defenses against Malware!
Browsers - What is supported and as of when?
- Apple Safari - support for DoT, and DoH since '20
- Brave - no support for DoT, does for DoH since '22
- Chrome - no support for DoT, does for DoH since '20
- FireFox (FF) support for DoT, and DoH since '20
- Microsofties Edge (based upon Chrome) no support for DoT, does for DoH since '20
- Opera - support for DoT, and DoH since '20
OS Level
- Apple was the first to allow DoT and DoH modifications - wreaking havoc on enterprise networks in '21. Apple went all in on encrypting everything DNS related.
- Microsoft followed in '22 with OS modifications in Windows
- Linux - a couple of different ways to enable, 'stubby' for Ubuntu, systemd-resolved for Debian and RHEL
Top DoT resolvers (no charge)
- 1.1.1.1 - Cloudflare
- 8.8.8.8 - Google
- 9.9.9.9 - Quad9
Top DoH resolvers (no charge)
- 1.1.1.1 - Cloudflare
- 8.8.8.8 - Google
- 9.9.9.9 - Quad9
Test your browser
https://1.1.1.1/help (site run and sponsored by CloudFlare)
If you have an enterprise computing asset (laptop/tablet) they might already have these settings turned on that they can control and monitor when and where you visit with their asset. I would not attempt to change pre-defined enterprise settings as that might be a resume generating event. As and individual user you would be sending unencrypted to a centralized resolver. Do you really want to do this (Think DeFi). Spread the love, rotate what DoT/DoH resolver you utilize.
Summary - for individuals enabling DoT and/or DoH this goes a long way for protecting internet privacy. For Enterprises, you need to set up your own internal encrypted DoT and DoH resolvers to prevent a huge layer of defense not being available as malware has already been located utilizing these new DNS encryption techniques! Which will mean if it is a corporate asset you are using and attempting to use your own DoT/DoH enabled settings they might get overwritten by the Enterprise security overlords. No worries, set it up on your personal assets to stay protected.