Domain Name System (DNS) is one of the backbones of the internet. DNS helps
translate a URL (e.g. blahblah.com) to its corresponding
IP address (i.e. 10.02.93.54). Thanks to the DNS human's can access the internet via human friendly URL, than having to remember & punch in numeric IP. So much simpler to say "look it up on Google", than saying "look it up on 172.168...".
Working of DNS
The
working of the DNS involves looking up
DNS servers spread out over the internet. When a user enters a URL in the browser, the address resolver in their system looks up the
DNS servers configured at their system (router/ network, ISP, etc.) for the corresponding IP address. The resolver recursively looks up the Root DNS server, then the top level domain (.com, .in), then second level domain (Google, Yahoo, etc.) (the Authoritative server for the domain), & from it finally the sub-domain (www, mail, etc.) to arrive at the corresponding IP address.
DNS requests are typically made
in plain text via UDP or TCP. In addition to destination URL, these requests also carry enough source identifiable information with them. Together with the recursive nature of the lookups via several intermediaries, this makes DNS requests vulnerable to being observed & tracked. The response could even be spoofed via a malicious intermediary that changes the IP address & direct the user to a scam site.
DNS over HTTPS (DoH)
A very recent development has been the introduction of
DNS over HTTPS (DoH) in Firefox.
HTTPS is the standard protocol used for end-to-end encryption of traffic over the internet. This prevents eavesdropping of the traffic between the client & the server by any intermediary.
To further secure the DNS request, DoH also brings in the concept of
Trusted Recursive Resolvers (TRR). The TRR is trusted & of repute, & provides guarantees of privacy & security to the user. The default for Firefox is
Cloudflare, though
other TRRs are available for the user to choose from. Sadly though,
OpenDNS isn't onboard with DoH or TRR, instead has its own offerings called
DNSCrypt. Hope to see more convergence as adoption of these technologies improves in the future.
Setting-up DoH with Firefox (ver. 65.0) requires going to
Preferences > Network Setting & checking "Enable DNS over HTTPS", with the
default Cloudflare TRR. Alternatively, the
flags "network.trr.mode" & "network.trr.uri" could be set-up via the about:config.
To confirm if the set-up is correct, navigate to the
Cloudflare test my browser page & validate. This should result in successful check marks in green against
"Secure DNS" & "TLS 1.3". Some further set-ups may be needed in case the other two checks fail.
For
DNSSEC a DNSSEC compatible DNS server will need to be added. Pick
Cloudflare DNS,
Google DNS or any other from the
DNS severs list. On the other hand, for
Encrypted SNI indicator, the flag
"network.security.esni.enabled" can be enabled. Since ESNI is still at an experimental stage, there could be changes (or bugs) that get uncovered & resolved in the future.
Enabling at a Global Level
The DoH setting discussed here is limited to Firefox. DNS lookups done outside of Firefox from any other browser, application or OS is unable to leverage DoH.
DoH at the global/ OS level could be set-up via proxies. Given that
DoH is over HTTPS, primarily a high level protocol for secure transfer of Hyper Text Documents, it maybe preferable securing DNS directly over
TLS protocol.
In this regard
DNS over TLS (DoT) is being developed.
Ubuntu ver.18.0 & some Linux flavours offer DoT support experimentally. While DoT has some catching up to do viz-a-vis DoH, raging debates are continuing regarding the merits & demerits of the two options for securing DNS requests. Over time we can hope for the gaps & issues to be resolved, & far better privacy & security offered to the end-user.
Update 1 (25-Feb-21)
Reference links regarding enabling DoH across devices.
Enabling In Android:
- https://android.stackexchange.com/questions/214574/how-do-i-enable-dns-over-https-on-firefox-for-android
(In addition to the various network.trr.* settings to use OpenDns Family Shield DoH, additionally lookup the IP for
the domain name "doh.familyshield.opendns.com" & set that value to
network.trr.uri)
- https://blog.cloudflare.com/enable-private-dns-with-1-1-1-1-on-android-9-pie/
DoH Providers:
- https://github.com/curl/curl/wiki/DNS-over-HTTPS (Cloudflare also offers a Family shield/ filter)
- https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS
- https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs
