One of the most common vulnerabilities of the DNS protocol attackers exploit is the plain text format in which communication between DNS clients and servers is performed. This allows attackers to eavesdrop on a network and know details about a DNS query, then manipulate it for malicious purposes.
This is the problem that DNS encryption aims to solve. With DNS encryption in place, communication between DNS clients and servers is encrypted from end to end thus preventing attackers from making sense of the information being transferred.
In this guide, you will learn about the two most common DNS encryption methods, their strengths, drawbacks, and level of adoption by the top operating systems and platforms.
DNS over TLS (DoT)
DNS-over-TLS (DoT), released in 2016, is the first DNS encryption solution to be established.
DoT channels the original client requests through a secure TLS channel on port 853 instead of the common port 53 used for unencrypted DNS communication. This prevents attackers from seeing or manipulating information about the DNS request.
Once an authenticated handshake is made and a secure channel is established with the DNS resolver, the DNS client and resolver can start exchanging messages over a secure channel. The secure connection created is mostly persisted for other DNS requests that the client will need to make during that session.
DNS over HTTPS (DoH)
The newer alternative to encrypting DNS traffic is DNS-over-HTTPS (DoH). DoH was introduced in 2018, and even though it uses TLS to encrypt messages between the client and the DNS resolver, it uses a different strategy.
Instead of opening a new port for secure communication, it uses the same port 443 used for HTTPS requests to send a DNS query to a DNS server that supports DoH. The DNS query is sent encrypted just like a regular HTTPS request and the response is also encrypted. The client decodes the response which contains the DNS information required to reach the site.
Some devices avoid DNS encryption by blocking the secure DNS port used by DoT, this is mostly done for ill-intented purposes. Because DoH does not require a special port for encrypted DNS communication, it cannot be bypassed.
Differences between DoT and DoH
|
DoT |
DoH |
|
|
Port |
Opens a new port (853) for creating a secure connection for encrypted communication |
Reuses the HTTPS port 443 for encrypted communication |
|
OSI Layer of operation |
Encrypted communication takes place at the Transport Layer (layer 4) of the OSI model |
Encrypted communication takes place at the Application Layer (layer 7) of the OSI model |
|
Operating System / Application Coverage |
It is either supported natively or can be configured for various operating systems (macOS, Windows, and Linux). Once in place, it encrypts DNS communication for any application that uses DNS on the operating system. |
Needs to be configured for each application/client that needs to use it (e.g. browsers like Firefox, Google Chrome, Opera, etc) |
|
Packet Size |
Because it operates at a lower level, its packet sizes are light |
Packet sizes are larger than DoT because it operates at the Application layer (two layers above DoT) |
|
Latency |
Minimal latency in DNS requests |
Higher latency compared to DoT |
Comments
0 comments
Article is closed for comments.