In this article
This article explains the differences between DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH), including how DNSFilter security settings work with these encryption solutions.
One of the most common vulnerabilities of the DNS protocol attackers exploit is the plain text format in which communication between DNS clients and servers is performed. This allows attackers to eavesdrop on a network and know details about a DNS query, then manipulate it for malicious purposes.
This is the problem that DNS encryption (DoT and DoH) aims to solve. With DNS encryption in place, communication between DNS clients and servers is encrypted from end to end thus preventing attackers from making sense of the information being transferred.
DNS over TLS (DoT)
DNS-over-TLS, released in 2016, is the first DNS encryption solution to be established.
DoT channels the original client requests through a secure TLS channel on port 853 instead of the common port 53 used for unencrypted DNS communication. This prevents attackers from seeing or manipulating information about the DNS request.
Once an authenticated handshake is made and a secure channel is established with the DNS resolver, the DNS client and resolver can start exchanging messages over a secure channel. This connection happens in 5-10 seconds. The secure connection created is mostly persisted for other DNS requests that the client will need to make during that session.
DNS over HTTPS (DoH)
The newer alternative to encrypting DNS traffic is DNS-over-HTTPS. DoH was introduced in 2018, and even though it uses TLS to encrypt messages between the client and the DNS resolver, it uses a different strategy.
Instead of opening a new port for secure communication, it uses the same port 443 used for HTTPS requests to send a DNS query to a DNS server that supports DoH. The DNS query is sent encrypted just like a regular HTTPS request and the response is also encrypted. The client decodes the response which contains the DNS information required to reach the site.
Some devices avoid DNS encryption by blocking the secure DNS port used by DoT, this is mostly done for ill-intended purposes. Because DoH does not require a special port for encrypted DNS communication, it cannot be bypassed.
Differences between DoT and DoH
DNS-over-TLS | DNS-over-HTTPS | |
---|---|---|
Port |
Opens a new port (853) for creating a secure connection for encrypted communication |
Reuses the HTTPS port 443 for encrypted communication |
OSI Layer of operation |
Encrypted communication takes place at the Transport Layer (layer 4) of the OSI model |
Encrypted communication takes place at the Application Layer (layer 7) of the OSI model |
Operating System / Application Coverage |
It is either supported natively or can be configured for various operating systems (macOS, Windows, and Linux). Once in place, it encrypts DNS communication for any application that uses DNS on the operating system |
Needs to be configured for each application/client that needs to use it (e.g. browsers like Firefox, Google Chrome, Opera, etc) |
Packet Size |
Because it operates at a lower level, its packet sizes are light |
Packet sizes are larger than DoT because it operates at the Application layer (two layers above DoT) |
Latency |
Minimal latency in DNS requests |
Higher latency compared to DoT |
How to manage DoT and DoH with DNSFilter
DNS-over-TLS
DNSFilter recommends enabling DNS-over-TLS because it is fully supported using Roaming Clients or DNS Relay. DoT is also more comprehensive than DoH because it encrypts all DNS traffic on your machine (rather than only web browser traffic).
DNS-over-HTTPS
Prevent browsers from circumventing DNSFilter policies by restricting DNS resolution to DNSFilter only. This is best done at the firewall level by blocking DoH addresses. DNSFilter helps to maintain a community list of DoH servers so that system administrators can restrict access.
Comments
0 comments
Please sign in to leave a comment.