DNS over HTTPS
DNS over HTTPS ( DoH ) is a protocol for performing DNS resolution over the HTTPS protocol . The goal is to increase the privacy and security of users by preventing eavesdropping and tampering with DNS data through man-in-the-middle attacks . In addition to improving security, further goals of DNS over HTTPS are to improve performance and prevent DNS-based censorship measures. DNS over HTTPS was standardized as RFC 8484 on October 19, 2018 .
Since March 2018, Google and Mozilla have been testing versions of DNS over HTTPS.
Differences from other protocols
By default, DNS queries are transmitted unencrypted using the UDP protocol. There are currently three options for implementing encryption: DNS over HTTPS , DNS over TLS (DoT) and DNSCrypt . DNS over TLS sends normal DNS requests over a TLS tunnel, while DNS over HTTPS establishes an HTTPS connection for this. With the latter, if the DNS provider also offers a website on port 443 , you can not see whether the packet is a DNS request. But DNS over TLS is much faster. The third variant, DNSCrypt , also offers encryption and authentication of the DNS queries, but is based on its own protocol, which has not yet been proposed as a Request for Comments (RFC) for standardization by the Internet Engineering Task Force (IETF) . Another option in the future is the DNS over QUIC protocol , which is currently being standardized.
Implementations
The Mozilla Firefox browser has included the option to activate DoH as an experimental function since version 60. Mozilla, in cooperation with Cloudflare, provides a DoH server that must meet strict privacy requirements.
For Chrome there since version 78 is also an experimental setting to use DoH.
Unlike DNS over TLS , Android has no native implementation.
Public DNS servers
DoH servers are already offered by several public DNS providers, including:
| Provider | Server IP addresses |
Hostname (DoH address) |
implementation | Content blocking | properties |
|---|---|---|---|---|---|
| Clean Browsing |
IPv4 : 185.228.168.168 185.228.168.169 IPv6 : 2a0d: 2a00: 1 :: 2a0d: 2a00: 2 :: |
Various with different filter levels:doh.cleanbrowsing.org/doh/security-filter/doh.cleanbrowsing.org/doh/family-filter/doh.cleanbrowsing.org/doh/adult-filter/
|
- | Content for adults and others, selected via IP / DoH address | DoH endpoint |
| Cloudflare | IPv4: 1.1.1.1 1.0.0.1 IPv6: 2606: 4700: 4700 :: 1111 2606: 4700: 4700 :: 1001 |
cloudflare-dns.com/dns-query
|
IETF draft | No | DoH endpoint |
| Digital society Switzerland | IPv4: 185.95.218.42 185.95.218.43 IPv6: 2a05: fc84 :: 42 2a05: fc84 :: 43 |
dns.digitale-gesellschaft.ch/dns-query
|
RFC 8484 | No | DoH endpoint |
| Google Public DNS | IPv4: 8.8.8.8 8.8.4.4 IPv6: 2001: 4860: 4860 :: 8888 2001: 4860: 4860 :: 8844 |
dns.google.com/resolve
|
Google experimental | No | DoH endpoint |
| Quad9 | IPv4: 9.9.9.9 149.112.112.112 IPv6: 2620: fe :: fe 2620: fe :: 9 |
dns.quad9.net/dns-query
|
- | Only malicious domains (phishing, malware, etc.) are blocked | DoH endpoint |
See also
- DNS over TLS
- Domain Name System Security Extensions (DNSSEC)
- DNS-based Authentication of Named Entities (DANE)
- DNSCurve
Web links
- DNS Privacy Project: dnsprivacy.org
- Monika Ermert: Experimental Internet Protocol DNS over HTTPS. heise.de
- Monika Ermert: IETF: DNS over HTTPS is becoming the standard. heise.de, July 25, 2018 .
- Fidler, et al .: DNS over HTTPS (DoH) Considerations for Operator Networks. ietf.org, March 8, 2019, accessed March 9, 2019 .
Individual evidence
- ^ Richard Chirgwin: IETF protects privacy and helps net neutrality with DNS over HTTPS. The Register, December 14, 2017, accessed July 26, 2018 .
- ^ P. Hoffman, P. McManus: RFC 8484 . - DNS queries over HTTPS (DoH) . [Errata: RFC 8484 ]. October 19, 2018 (Internet Engineering Task Force [IETF]).
- ↑ DNS-over-HTTPS. Google Developers, accessed July 26, 2018 .
- ↑ Catalin Cimpanu: Mozilla Is Testing "DNS over HTTPS" Support in Firefox. BleepingComputer, March 20, 2018, accessed July 26, 2018 .
- ↑ Tenta DNS over TLS vs DNSCrypt. In: Tenta Browser Blog. Retrieved August 5, 2018 .
- ^ Home page of the DNSCrypt project [DNS security]. Accessed August 5, 2018 .
- ↑ C. Huitema: Specification of DNS over Dedicated QUIC Connections. March 7, 2019, accessed December 22, 2019 .
- ↑ draft-huitema-quic-dnsoquic-07 - Specification of DNS over Dedicated QUIC Connections. Retrieved December 22, 2019 .
- ↑ Jürgen Schmidt, Carsten Strotmann: Private information - DNS with privacy and security before the breakthrough. In: Heise online . June 22, 2018 . Retrieved July 25, 2018.
- ↑ Improving DNS Privacy in Firefox. June 1, 2018, accessed July 26, 2018 .
- ↑ Cloudflare Resolver for Firefox. Retrieved July 25, 2018 .
- ↑ by Stefan Beiersmann on October 23, 2019, 12:22 p.m .: Chrome 78: Google is testing DNS-over-HTTPS. October 23, 2019, accessed on December 6, 2019 (German).
- ↑ DNS over HTTPS Implementations. April 27, 2018. Retrieved April 27, 2018 .
- ↑ DNS Security and Privacy. April 27, 2018, accessed March 27, 2018 .
- ↑ a b Clean Browsing DoH Filters
- ↑ CleanBrowsing DNS Filters
- ↑ Running a DNS over HTTPS - Cloudflare Resolver
- ↑ Public DNS-over-TLS and HTTPS DNS resolvers. Accessed September 2, 2019 (German).
- ↑ Google Public DNS
- ↑ quad9.net
- ↑ quad9.net