Protecting Your Online Privacy with DNS Security Protocols !!

Hi everyone,

Following my previous post regarding Securing Internet Traffic: Introducing HTTPS, DNSSEC, and DNS Encryption Technologies.

Today I want to talk about two protocols that aim to improve the security and privacy of DNS queries: DNS over TLS (DoT) and DNS over HTTPS (DoH). Both protocols encrypt DNS queries using TLS, which is the same protocol that HTTPS websites use. However, they differ in how they make the connection and what port they use1.

DoT uses TCP as the basic connection protocol and layers over TLS encryption and authentication. DoT has its own port, Port 853. This means that DoT queries can be easily identified and blocked by firewalls or network operators who do not want to allow encrypted DNS traffic.

DoH uses HTTPS and HTTP/2 to make the connection. DoH uses Port 443, which is the standard port for HTTPS traffic. This means that DoH queries can blend in with other HTTPS requests and bypass firewalls or network operators who block Port 853. However, this also means that DoH queries may be subject to web filtering or censorship by intermediaries who can inspect HTTPS traffic3.

Both protocols have their advantages and disadvantages depending on the use case and threat model. Some of the factors to consider when choosing between them are performance, compatibility, transparency, trustworthiness, and policy compliance3. There is no one-size-fits-all solution for secure DNS.

Here are some more differences, benefits, and drawbacks of DNS over TLS (DoT) and DNS over HTTPS (DoH):

Differences:

• Port and protocol: DoT uses port 853 and the TLS protocol, while DoH uses port 443 and the HTTPS protocol.
• Resolver support: DoT requires the resolver to support the TLS protocol, while DoH requires the resolver to support the HTTPS protocol.
• Privacy: DoH can potentially provide better privacy by hiding DNS traffic within HTTPS traffic, while DoT may be more susceptible to fingerprinting attacks that can identify DNS traffic.
• Performance: DoT may offer faster performance due to the use of a dedicated port and protocol, while DoH may be slower due to the overhead of using the HTTPS protocol.
• Deployment: DoH is easier to deploy in networks that already support HTTPS, while DoT requires additional configuration to use a separate port and protocol.

Benefits:

• Security: Both DoT and DoH provide an additional layer of security by encrypting DNS traffic, preventing eavesdropping, and protecting against DNS spoofing attacks.
• Privacy: Both DoT and DoH provide some level of privacy by preventing third parties from monitoring DNS queries and responses.
• Compatibility: Both DoT and DoH are compatible with most modern devices and operating systems, including mobile devices and desktop computers.

Drawbacks:

• Configuration: DoT may require more configuration than DoH, such as opening a separate port for DNS traffic.
• Compatibility: Some older devices or networks may not support DoT or DoH, which could lead to compatibility issues.
• Performance: Depending on the implementation and network conditions, DoH may have slower performance than DoT due to the overhead of using the HTTPS protocol.
• Centralization: DoH can potentially lead to centralization of DNS resolution, as it relies on HTTPS infrastructure that is often controlled by a few large companies.

Support and adoption:

• DoH & DoT: both are supported by several DNS resolver providers, including Cloudflare, Google, and Quad9. They are also supported by many DNS software implementations, such as BIND, Unbound, and Knot Resolver.
• Additionally, many popular web browsers, such as Firefox and Chrome, have added support for DoH.

Overall, both DoT and DoH provide significant security and privacy benefits, and which one to use may depend on specific needs and preferences. DoT may offer better performance and may be more suitable for networks that already support the TLS protocol, while DoH may be easier to deploy and may offer better privacy in some cases. However, it's important to note that both technologies are still relatively new and may have some drawbacks or limitations that may need to be addressed in the future.

What do you think about DoT and DoH? Which protocol do you prefer and why? Let me know in the comments below!!!