DNS over HTTPS | TheoryIT

To understand more about what is written below you will need to understand DNS itself before reading below. Cloudflare has a great article on this: https://www.cloudflare.com/learning/dns/what-is-dns/

What is DNS over HTTPS (DoH)?

DNS over HTTPS, commonly referred to now as DoH, is a new protocol sending DNS traffic using HTTPS encryption.

What is difference between DoH and DoT?

The difference between DoH and DoT, DNS over TLS, is firstly DoH is TCP and DoT is UDP. DoT just uses TLS to encrypt the UDP DNS packet, whereas DoH has a full TCP session, just like HTTPS, for the sending and receiving of the DNS request and response. DoT also uses port 853, and DoH uses port 443 just like all other HTTPS traffic.

Do all DNS servers support DoH natively?

No, DNS servers must be configured to support DoH and there is currently a limited number of servers out there that do support this. Primarily the known servers that do support DoH are Cloudflare’s servers. https://www.cloudflare.com/learning/dns/dns-over-tls/

Can a firewall block DoH?

Currently no signature exists that can block specifically DoH traffic, as it looks just like all other HTTPS traffic. But, what one can do is block the known list of DoH supported DNS servers, which currently is a short one. Here is a link to some of the known servers: https://github.com/bambenek/block-doh and https://dnscrypt.info/public-servers/

What is the purpose of DoH?

DoH provides an additional layer of security for DNS lookups. Currently with current DNS protocol any ISP or router on the path of the DNS lookup request will be able to know what exact websites an IP is visiting. This allows for data collection for use of resell.

What web browsers support DoH?

Currently Firefox and Chromium support DoH. Chromium is the core base for such browsers as Chrome, Edge (Chromium) and Opera.

Here are the links to their How-to’s to enable DoH:

Firefox – https://support.mozilla.org/en-US/kb/firefox-dns-over-https

Chrome – https://www.howtogeek.com/660088/how-to-enable-dns-over-https-in-google-chrome/

Opera – https://blogs.opera.com/desktop/2019/09/opera-65-0-3430-0-developer-update/

Here is an article that contains several browsers: https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-isp-opposition/