DNS via HTTPS (DoH) is a protocol that appeared in 2018, which the main web browsers now offer. This is to protect DNS queries with a layer of encryption (HTTPS).
What is Mozilla announcing?
On February 25, 2020, Mozilla launched a plan to enable the “DNS over HTTPS” setting to be enabled by default, first in the US and then elsewhere in the world. This setting, which is in the web browser, has been activated gradually, to ensure its proper deployment. In doing so, Mozilla was able to concretize an old project.
Two years earlier, Mozilla unveiled its intentions, explaining the DNS concern: it hasn’t really benefited from efforts to make the web more secure and private, unlike other parts — like links between sites and Internet users, which are now massively encrypted. However, the DNS is both a capital and old element of the architecture of the Internet.
So it was time to upgrade it. A protocol had been in development since 2018: DNS over HTTPS (DoH). The general idea ? Pass DNS queries and associated responses in an encrypted manner, encapsulating them in the HTTPS protocol. In doing so, a secure channel is used, protecting the privacy of Internet users and avoiding censorship by third parties.
What is the Domain Name System (DNS)?
Domain Name System (DNS) is the mapping of IP addresses to domain names. It is easier to manipulate a sequence of characters like www.numerama.com as the site’s server IP address. Thanks to this mechanism, web addresses are much more understandable and usable by everyone.
The DNS is essential, because it is impossible to memorize IP addresses (for Internet Protocol). These codes look like license plates to distinguish between servers. The Internet is a computer network interconnecting millions of networks and servers. Accordingly, they must each have a unique number.
What is HTTPS?
HTTPS is an acronym (HyperText Transfer Protocol Secure) which indicates to the Internet user that his connection between his web browser and the site he is visiting is secure (even if he must remain cautious). This security is symbolized, in addition to the presence of the “s”, by a closed padlock, which may or may not be green. Otherwise, it’s just plain HTTP. The padlock is then opened or crossed to prevent the risks incurred.
HTTPS is required to consult sites whose information is sensitive or compromising: the bank, social networks, e-mail, taxes or purchases on commercial sites. HTTPS was not widespread in the early 2010s, but Edward Snowden’s revelations gave it a big boost.
DoH: DNS plus HTTPS
The idea of the DNS over HTTPS (DNS over HTTPS, or DoH) setting is to apply the principle of cryptography to the domain name system, in order to prevent a third party from reading DNS queries and responses returned to the domain name system. internet user. This makes monitoring more difficult, since it is no longer possible to determine who visits which website or page.
This is what Mozilla explains: This hides your browsing history from attackers on the network and prevents data collection by third parties on the network that connects your computer to the websites you visit. “. In short, DoH complements HTTPS: the first hides the website you are visiting, the second protects the data you exchange with it.
What is the interest of the DNS over HTTPS (DoH) protocol?
As Stéphane Bortzmeyer, R&D engineer at AFNIC, the organization that manages the top-level domain name assigned to France (“.fr”), explains, the DNS turns out to be “ the only important protocol that is not protected by cryptography which, in a post-Snowden world, where the reality of mass surveillance has been proven by the American whistleblower, is no longer acceptable.
New America adds that the DNS ” dates back to the early days of the net, before engineers made privacy and security fundamental points to include in its development. Early designers saw the net as primarily an educational tool and did not anticipate the cybersecurity and privacy challenges we face nearly 40 years later. »
What are the advantages and disadvantages of DoH?
DNS via HTTPS has a first obvious advantage: it complicates monitoring since the requests and responses between your computer and the DNS servers are no longer sent in the clear. Internet users thus gain in confidentiality. The DoH also makes it more difficult to censor websites, because the blocking through DNS becomes more complicated to implement.
There are also disadvantages. Among the significant criticisms, there is that of the so-called lying DNS: putting cryptography is useless if the DNS does not return the correct answer. You need to use a good DNS resolver. Also, some feel that sending everything over HTTPS isn’t ideal, because the net wasn’t designed to work that way.
Where to activate it in Firefox?
Go to the “Tools” menu, then “Settings”. Type “DNS” in the search field and under “Network Settings” click on the “Settings” button. In the new window, check the line “Enable DNS via HTTPS” at the very bottom and choose the provider (resolver) that suits you.
You can leave Cloudflare, which is the service used by default. Click OK and you’re done. Mozilla considers Cloudflare to be a trusted resolver, as is NextDNS, the other provider. Others could be added later. It is also possible to choose your own resolver. In this case, it is up to you to enter the appropriate parameters.
To check if the option is enabled, you can go to 1.1.1.1/help, which is operated by Cloudflare. If the DoH is active, you will see the mention “Yes” in the appropriate line. Frequently asked questions are available on the Mozilla site.
Cloudflare by default, a good choice?
Cloudflare is today one of the heavyweights of the net: its services are provided to millions of websites, whether to protect themselves against computer attacks (DDOS), to withstand strong connection peaks, to properly distribute content (via CDN), or even to solve domain names. Mozilla precisely answers the question of this choice, which is not unanimous.
In September, Stéphane Bortzmeyer judged that it was ” not a good idea to send all DNS traffic to Cloudflare (because by default it is used and not everyone will change this setting). But he also noted that ” just because you don’t like Cloudflare doesn’t mean you should maintain the status quo and continue to send your DNS queries to the resolver provided by the access network. »
It is better to have an imperfect DoH than no DoH at all…until there are more trusted resolvers. This is also pointed out by Tavis Ormandy, a computer security specialist at Google. ” Cloudflare is problematic. But, there’s no reason to think they’re not law-abiding, and Mozilla has negotiated a contract. In addition, there are plans to add other resolvers. »
In its FAQ, the organization announces that it does not charge any money for passing DNS queries through Cloudflare. In addition, data monetization is prohibited. explicitly “. Cloudflare has also been able to meet the strict requirements of the policy we put in place which are written into a legally binding contract and made public.
What about Chrome, Edge, Safari and others?
Firefox isn’t the only browser to switch to DNS over HTTPS. This parameter can also be activated at the competition. This is the case of Google Chrome and all programs based on Chromium, that is to say Microsoft Edge, Opera, Vivaldi or Brave, tip Make Teach Easier. For each of these software, a brief guide is offered to take advantage of them immediately.
Regarding Internet Explorer, DNS via HTTPS is excluded. IE is no longer a browser that Microsoft wants to deal with (except possibly to fix a critical vulnerability). He now focuses on Edge. For its part, Apple has not yet provided the DNS over HTTPS function in its Safari, web or mobile browser.
With iOS 14 and macOS 11, Apple has a plan to switch to DNS encryption. In addition to DoH, another method is considered: DoT (DNS over TLS). We also find the DoT in Android, Windows or Linux. The DoT is principle-based and serves similar purposes as the DoT. The notable difference is the use of a specific port, which facilitates blocking.