Welcome to the important news site.
DNS over HTTPS is a protocol that has been making a lot of noise in recent months. Many companies providing this service claim that using it will preserve privacy and improve security. Some believe that this claim is nothing more than a lie, but at the same time, there are better solutions.
Each website has a unique IP address. But since it is difficult to remember numerical IP addresses, we usually use their names, including Digiato.com. DNS or “Domain Name System” a protocol for finding addresses Hi is the IP of sites and DNS servers play the role of internet phone book by converting names to addresses. How DNS works in brief is as follows: for example, the user enters the name of the desired site in the browser, and the DNS server helps the user’s operating system and finally the browser by converting the name into an IP address. Find the comment and get its information from the site host.
Some experts believe that DoH is not a very good feature and we should look for better ways to encrypt DNS traffic. Among these methods is DNS over TLS, which encrypts DNS traffic instead of hiding DNS traffic in HTTPS.
What is DNS over HTTPS?
“DNS-over-HTTPS” or “DoH” for short, which is almost a new innovation, was introduced as an Internet standard in October 2018. Right now, Android supports this feature, and this standard will be added to browsers this year. 88%d8%aa%da%a9%d9%84-doh-%d8%a7%db%8c%d9%86%d8%aa%d8%b1%d9%86%d8%aa-%d8%a7% d9%85%d9%86-%d9%85%d9%88%d8%b2%db%8c%d9%84%d8%a7-%d9%81%d8%a7%db%8c%d8%b1% d9%81%d8%a7%da%a9%d8%b3″ target=”_blank” rel=”noopener noreferrer”>Firefox and Chrome also come.
Until now, DNS questions and answers were exchanged through unencrypted plain text between a system and a DNS server, but DNS over HTTPS changes this process by encrypting DNS queries. Of course, one of the requirements of such a method is DNS servers with DoH capability (called DoH resolvers).
Most companies that offer DoH-compliant products tout this feature as a way to prevent ISPs from monitoring user traffic, as well as a way to bypass restrictions. But to what extent is such a matter true?
In fact, it should be said that this issue is nothing more than a lie in the eyes of many experts. Contrary to what many companies advertise, DNS over HTTPS cannot magically improve privacy. Some experts believe that irresponsible companies do not protect users by promoting this half-and-half protocol. Critics point to the following flaws for DoH:
- Does not prevent ISPs from tracking users.
- It creates chaos in the organizational field.
- Helps criminals.
- causes the weakening of cyber security.
- Possibly puts users at risk.
- Focuses DNS traffic on a small number of DNS servers with DoH capability.
In the following, we will deal with these problems separately.
Inability of DoH to prevent users from being tracked
DoH proponents put a lot of emphasis on the ability for ISPs to untrace users’ DNS requests and, consequently, untrace their web traffic. It is true that ISPs cannot see users’ DNS requests. But the problem is that other than DNS, other protocols are used in Internet browsing. In this way, if the ISP wants to track you, it can take advantage of your almost unlimited other data. Some experts even believe that people who advocate DNS over HTTPS are either lying or don’t understand how web traffic works.
Furthermore, if you visit a website with the HTTP protocol, DoH is of no use, and the ISP can easily find out the address of the website you are visiting by simply checking the plain text. However, since the HTTPS protocol is not perfect and parts of the communication under it are still not encrypted, ISPs can still be aware of the website you are visiting. For this reason, experts believe that ISPs do not have to worry about DNS over HTTPS because they can simply check the unencrypted part of HTTPS.
ISPs are also able to track all the traffic exchanged by each person and when a user accesses a website they simply know the IP address associated with it. Researchers recently published a report that reports 95% accuracy in identifying visited websites based on IP alone. In other words, users’ final destinations are known through IP addresses, even if the exchanged traffic is encrypted.
Negative influence of DoH on organizational policies
In many companies, local DNS servers are used to filter or monitor local traffic to prevent users from accessing non-work-related websites or accessing domains containing malware. But DNS over HTTPS can be used as a tool to bypass such organizational restrictions. In this way, all DNS-related policies applied by organizations are overridden and employees can use DoH to bypass restrictions.
Since today’s DNS servers do not currently support DoH queries, applications that do support DoH use a predefined list of DoH servers, and thus DoH from the usual DNS settings on a separate operating system. will be Network administrators in companies sometimes monitor the DNS settings of operating systems to prevent attacks based on DNS hijacking. But with hundreds of applications that have separate DoH settings, such monitoring becomes a nightmare for them, making it virtually impossible to monitor DNS hijacking.
Undermining cyber security through DoH
Experts believe that DNS over HTTPS renders many current cyber security solutions ineffective; Because it becomes impossible or very difficult to identify what users do in a browser that benefits from DoH. As a result, detecting the user’s access to infected domains and blocking the traffic will face many problems. SANS Institute (one of the largest active companies in the field of cybersecurity education) recently described a method for anonymously using encrypted DNS that allows hackers to bypass control restrictions in organizations.
Organizations are advised not to rely solely on DNS-related data for security solutions. In addition, there should not be too much delay in the implementation of new solutions; Because malware developers are also aware of DNS over HTTPS capabilities and can Bypass firewalls based on traffic monitoring. However, according to the SANS Institute, the problem is that companies’ security updates to deal with this issue require time and money. This is the reason why there is not much desire to improve the systems at the moment.
Of course, according to researchers, there is a better solution: DNS over TLS (abbreviated as DoT) and DNSSEC. The DNSSEC protocol adds a signature to DNS-related data so that the user can be sure that the source providing the information is authentic. This protocol can be combined with DNS over TLS. DNS over TLS is a protocol similar to DNS over HTTPS, except that instead of hiding DNS traffic in HTTPS encryption, it encrypts DNS communication.
DoT also suffers from some disadvantages of DoH, but according to the researchers, it is a better choice in comparison and has less problems. One of the most important features of this protocol is that, unlike DoH, it can be implemented on current DNS infrastructures.
According to technitium, which provides cyber security solutions, many prominent ISPs have implemented DoT and major operating systems support it. This standard helps to maintain privacy and security and at the same time does not have the problem of being limited to a few DNS servers.
DoH helps criminals
One of the capabilities of DNS over HTTPS is to provide an ability to bypass censorship or other restrictions; Especially in the case of ISPs that block access to websites based on DNS addresses. But DoH can also be used to access terrorist-oriented or subversive content, websites stealing copyrighted content, or content blocked for children. The US and UK governments criticized Mozilla and Google for supporting the DoH because of these criminal uses.
Due to these concerns, Mozilla has been pressured by the UK and had to abandon the default activation of this feature in Firefox for British users. On the other hand, Google says that it provides support for DNS over HTTPS with the justification that it is entirely the responsibility of the companies providing the DoH service.
DoH puts some users at risk
As we said, DoH alone cannot prevent the disclosure of the user’s identity or the information exchanged, and only encrypts part of the traffic and leaves most of it unencrypted. However, it may be considered as a tool for bypassing legal restrictions from the eyes of the authorities of many countries and endangers its users for the crime of using tools for bypassing the restrictions.
Meanwhile, many uninformed users mistakenly think that only by using DoH they can maintain their privacy and guarantee confidentiality. But experts say that using VPN or TOR connection along with DoH can protect users better than using DoH alone.
Concentrating DNS traffic on a small number of DoH servers
According to APNIC, which manages the allocation of Internet addresses for the Asia-Pacific region, this is a negative impact that the DoH has on all conventional DNS servers. Instead of taking the useless solution of creating a newer layer (through DoH) we can encrypt DNS traffic in other ways; so that there is no need to change the current infrastructure. In this way, the problem of concentrating DNS traffic on few servers is solved, and you can still use the same DNS servers as before, but with a more secure connection.
DNS over HTTPS is considered a negative point for privacy due to its centralized operation; Because any third-party company that provides this service can record the history of all DNS queries, track the requested IP addresses, and maybe eventually provide ways to abuse this information.
Concluding remarks
The general idea of DNS over HTTPS is not what most people think. In fact, this protocol does not protect users from eavesdropping on exchanged traffic. However, experts say that users who use VPN or TOR connection for privacy can add an extra layer of security to their connection by using DoH.
On the other hand, organizations should invest in new traffic filtering and monitoring systems, because it seems that the era of traditional DNS-based monitoring and limiting systems is coming to an end. In addition, monitoring systems with the ability to eavesdrop on TLS communications will also be required. Of course, all these new systems require high costs, and for this reason, many companies still rely on traditional DNS-based systems.
Regarding the concerns about third-party DNS encryption providers, APNIC may be right, which believes:
“DNS encryption is good, but it would be even better if it was implemented without the intervention of a third entity”.
We suggest you to visit the content of Windows, Office and Android
We hope you enjoyed this Training, what do you think about this post?
