DNS over HTTPS
DNS-over-HTTPS was created as an internet standard (IETF RFC8484) and has been implemented in both Mozilla Firefox and Google Chrome. DoH encrypts DNS queries, which are disguised as regular HTTPS traffic and all of those queries (every web site you visit's URL) are sent to special DoH-capable DNS servers (called DoH resolvers), which resolve the DNS query inside a DoH request, and reply to the user.
Don't be fooled by all the use of the term encryption! At the resolver, the request has to be decrypted to be handled by the resolver. So "they" as in the company or organization that is now doing DNS for you at their remote site instead of locally by your own network or ISP, can see where you are going and they can keep track of those Internet addresses and associate them with you.
The companies and organizations that have DoH-capable products have been advertising DoH as a way to prevent ISPs from tracking users' web traffic and as a way to bypass censorship. However, they just are talking you into allowing them to track you instead of your ISP (which probably was not tracking you as it is illegal in many jurisdictions).
- DoH doesn't actually prevent ISPs user tracking - because DNS is only one very small part of the traffic between you and your ISP. They don't need your DNS queries to know what you are doing
- DoH creates havoc in the enterprise sector - many of the security measures involved on network security involve the use of the locally allocated DNS resolver.
- DoH weakens cyber-security and helps criminals - once you surrender control of DNS activity you become subject to invalid or manipulated DNS results.
- DoH centralizes DNS traffic at a few DoH resolvers - Having local DNS servers for customers and users helps keep things moving fast. Channeling all this DNS activity to centralized points creates bottlenecks and delays, potentially slowing down your Internet activity because your browser is still waiting for DNS resolution before it can move forward and load a web site or application.
There are three major secure transport protocols which have been, or are being, standardized for DNS. These are DoT, DoH, and DoQ:
- DoT (DNS over TLS): this encrypts the DNS traffic but doesn’t try to hide it.
- DoH (DNS over HTTPS): this hides the DNS traffic by making it look like any other HTTPS web traffic.
- DoQ (DNS over QUIC): like DoH, this hides the DNS traffic by making it look like any other HTTPS web traffic, but for a more modern variant of web traffic.
DNS-over-HTTPS relies on a Trusted Recursive Resolver (TRR). The centralized DNS on the far end of the encryption which has to decrypt and do the DNS resolution is known as the Trusted Recursive Resolver (TRR) and being considered Trusted is purely at the discretion of someone else besides you. Firefox, as an example, is currently using https://cloudflare-dns.com/dns-query as their TRR, so Mozilla wants you to believe you can trust Cloudflare with your privacy. There is no government department of oversight on what is considered a TRR so why should you trust their TRR over your own ISP DNS resolution system?
your privacy at risk: a benefit vs danger analysis
When you navigate to a website, your browser first needs to determine which server is responsible for delivering said website, a step known as DNS resolution. For most people, their system automatically uses their Internet Service Provider's DNS. Users can configure their system to use 3rd party DNS if they so desire, such as Google's 8.8.8.8 public DNS server. In a small office or larger corporate network, it is common that DNS resolution is handled by the firewall or a special purpose dedicated DNS server for the LAN. This is part of the network security layer and the network administrator likely prefers or enforces all DNS queries be handled locally.
Mozilla Firefox (the group responsible) and Google Chrome via The Chromium Project are now implementing something called DNS over HTTPS. They claim this is to provide an encrypted channel which they say further safeguard user security and privacy. That is what they say so they can sneak this alteration to the normal standard DNS model by the end user without objection.
The Benefit: It will be more difficult for people to sniff out your visited web sites because DNS queries won't pass through the local network smart switch or router in an unencrypted format. For employees of a company, they will be able to visit pornhub or something nasty and maybe not be as likely to get noticed by the LAN administrator.
The Danger: There is no benefit for the home Internet user of Chrome or Firefox. The danger is that all the sites you visit are being sent as a list and possibly collected by a 3rd party. If you are at home and you visit bitcoin mining web sites or read a lot of gun related articles, some 3rd party company can keep a list and turn that over to advertising or marketing firms, or worse yet, to an oppressive government authority depending on your country. Furthermore, although not a danger but an annoyance, this system can create delays as it takes longer to achieve DNS resolution on queries from your host.
The Danger outweighs the benefit!
Any competent office network administrator is going to block Trusted Recursive Resolver traffic so Chrome or Firefox will have to revert to the office DNS server.
Unless you spend your time surfing questionable web sites or looking at things that would embarrass you if it were to become public and you are doing all of this not at home, but on public WiFi where other users of the same WiFi could potentially be sniffing your data packets, this DNS over HTTPS is really just a big scam to data mine. Even still any hacker sniffing packets on public WiFi doesn't need to see your DNS queries to do harm. Mozilla Firefox the organization and Google for their part in adding this to Chromium should be called out on this and held legally accountable in civil court as they implement this data mining DNS scam by default and without user consent.
the true motivation
Why would Mozilla and Google try so hard to push a technology which does little to benefit the end user, and mostly harms network security managers? The real reason probably has everything to do with marketing and advertising.
- Bypassing DNS based blackholes circumvents advertisement blockers (Ad-Blockers) and data mining trackers.
- Centralizing DNS to their private company allows them to perform data mining on all users of Firefox, Chrome, or whatever application. Now they can easily see where you are going with far less effort because you are allowing it to happen.
Do they care about your privacy and should you believe the pitch that they are doing this all for your benefit? NO; (and that is a big fat NO). The so called benefit is controversial and unproven at best while the loss of privacy to one or a small select few major corporations handling the DNS queries is alarming to say the least. You're much better off keeping your DNS local. Don't let CloudFlare and Google be Big Brother DNS.