What is DNS over TLS/HTTPS? Should I use it?
Most communication on the Internet starts with the DNS query. Client (smartphone, computer) sends a request to DNS Resolver which provides him a machine-readable IP address based on the human-readable domain name. He transforms 1dot1dot1dot1.cloudflare-dns.com into 184.108.40.206. Now our device knows where to connect, where a destination server is.
Typically we use a DNS Resolver provided by our Internet provider, configured on WiFi network or cellular. By default, DNS requests and responses are sent as plaintext (via UDP) and can be read by anybody able to monitor transmissions.
What can we do to be safer?
DNS over TLS/HTTPS
To address security concerns big minds come with the idea of DNS over TLS/HTTPS. As a result of changing transmission protocol, we gain more security. Now our communication is sent in an „envelope”, so no one can see what’s inside.
DNS over TLS (DoT) is provided on 853 port. It uses the same protocol as HTTPS traffic – SSL. DoT adds an additional layer of TLS encryption over normal DNS queries served over UDP.
DNS over HTTPS (DoH) is provided on port 443. It’s a more secure alternative to DoT. DoH traffic looks like normal HTTPS traffic e.g. navigation on websites or apps.
There is only one insecure step, negotiating first TLS connection to DNS Resolver and reveling SNI (server name indication). The requested hostname is not encrypted and it can be seen by third parties. Of course, the response is secured.
Can it replace a VPN?
No, of course not! You shouldn’t use it with any VPN to provide maximum privacy. Your VPN shouldn’t request any outside DNS Resolver from security reasons.
The role of encrypting DNS traffic is preventing man in the middle attacks for DNS requests. This is changing DNS response and sanding You to a phishing site instead of the original site that You wanted.
It’s easy, right? Uhm…only for smartphone, but You will manage to do that in a few minutes for other devices.
There are two ways to configure secure DNS on a mobile phone. The first one it’s faster and more private (default is DoH, but You can choose DoT), but I don’t like it. Everything You need to do is install 220.127.116.11 App (get it for Android and iOS, if You are using Bada OS or Symbian I’m so sorry :D). It will solve your all problems by flicking up one switch on the main screen. But there are few downsides. You need to have an app running in the background and probably it won’t connect automatically after reboot.
The second method and preferred by me is only for Android 9 and above. Let’s do it, enter the settings:
- Go to Network/Connections -> Private DNS
- Chose „Private DNS provider hostname”
- Enter 1dot1dot1dot1.cloudflare-dns.com and Save
You can find more detailed instructions and information on the Cloudflare blog post.
Using encrypted DNS traffic with Windows is more complicated than configuring mobile phone. You need to run Windows 10 Build 19628 or higher, add the key to the registry and changed IPv4 and IPv6 configuration on your network adapters. Detailed instruction is in BleepingComputer entry.
Verify DNS Resolver configuration
Checking if everything gone right is a very fast operation. We need to enter https://18.104.22.168/help and wait after all pieces of information are loaded. Now we need to check 3 parameters:
- Connected to 22.214.171.124 -> Yes
- Using DNS over HTTPS (DoH)/Using DNS over TLS (DoT) -> Yes
- AS Name -> Cloudflare
If You’ve got two yeses and Cloudflare as above everything worked perfectly!
You saw that configuring DNS over TLS/HTTPS isn’t that hard. It can be very useful during the holiday season when we access the Internet in untrusted places like restaurants, hotels, or coffee shops. Reproducing the above steps on your phone (probably You will use this device the most) isn’t complicated. Share that entry with your friends and family to keep them safe.
Get safe and don’t get scammed!
*Heading image and inspiration source: https://www.cloudflare.com/learning/dns/dns-over-tls/