What is the difference between DNS over TLS & DNS over HTTPS?

As we discussed DNS over HTTPS in my article https://www.dhirubhai.net/pulse/google-announces-dns-over-https-doh-part-its-public-service-kumari/ let's talk about what is the difference between DNS over HTTPS and DNS over TLS.

DoT and DoH seem like interchangeable terms for the same thing. Both encrypt DNS requests, but there's one big difference: the port they use.

To clarify these questions in a simpler way, I am trying to elaborate on my viewpoint. First, let's talk about DNS over TLS before exploring the difference between DoH and DoT.

What is DNS over TLS?

The traditional DNS queries and responses are sent over UDP or TCP without encryption. It is susceptible to eavesdropping and spoofing (including DNS-based Internet filtering). The responses of recursive resolvers to clients are the most vulnerable to undesired or malicious changes, while the communications between recursive resolvers and authoritative name servers are often accompanied by additional security measures.

(I recommend reading the basic DNS article to better understand recursive resolvers, which I have already written.)

In response to these problems, Google Public DNS, Cloudflare, Facebook, and others offer DNS resolution over TLS-encrypted TCP connections. Through DNS-over-TLS, clients and resolvers can communicate more securely and privately. It complements DNSSEC and prevents spoofing or modification of DNSSEC-verified results.

There are two types of privacy profiles available to client systems using DNS-over-TLS: strict privacy and?opportunistic?privacy. As part of the strict privacy profile, the user configures a DNS server name (the authentication domain name in RFC 8310) for DNS-over-TLS service, and the client must be able to establish a secure TLS connection to the DNS server over port 853. The client will not receive DNS service if a secure connection cannot be established.

In the opportunistic privacy profile, the DNS server IP address can be configured directly by the user or obtained through DHCP. On port 853, the client resolver attempts to establish a secure connection. By establishing a secure connection, the user's queries will be protected from passive observers. Due to the fact that the client does not verify the authenticity of the server, it is not protected against active attacks. The client will use the standard DNS port 53 over UDP or TCP if it cannot establish a secure connection on port 853. By deploying Opportunistic Privacy incrementally, we can gradually develop a strict privacy profile for widespread adoption.

The following steps are used by stub resolvers to establish a DNS-over-TLS connection when a strict privacy profile is used.

1. dns.google is the name of the stub resolver configured with DNS over TLS.
2. Using the local DNS resolver, the stub resolver obtains the IP address(es) for dns.google.
3. At those IP addresses, the stub resolver connects to port 853 through TCP.
4. Stub resolver initiates TLS handshake with Google Public DNS resolver.
5. Google Public DNS returns a chain of TLS certificates up to the trusted root certificate along with its TLS certificate.
6. By examining the certificates presented, the stub resolver verifies the identity of the server.

• The stub resolver returns an error if the identity cannot be verified.

When the TLS connection is established, the stub resolver can communicate securely with Google Public DNS.

The stub resolver can now send DNS queries and receive responses.

Using an opportunistic privacy profile, the client first attempts to establish a secure TLS connection. This is done similarly to the above with one important difference - no certificate validation is performed by the client. As a result, it is impossible to trust the identity of the server. The stub resolver falls back on talking to the DNS server on port 53 if a TLS connection cannot be established.

What’s the difference between DNS over TLS & DNS over HTTPS??

Despite the fact that both of these standards encrypt DNS requests, there are some important differences between DNS over TLS and DNS over HTTPS. DNS over HTTPS is defined as RFC 8484, while DNS over TLS is defined as RFC 7858 and RFC 8310, respectively, by the IETF.

In DNS over TLS, TCP is used as the basic connection protocol and layers of encryption and authentication are added over TLS. The DNS over HTTPS connection uses HTTPS and HTTP/2.

The port used depends on this distinction. Port 853 is the port used by DNS over TLS. For DNS over HTTPS, Port 443 is used, which is the standard port for HTTPS traffic.?

Having a dedicated port may seem like an advantage, but in certain situations, it's actually the opposite. In contrast to DNS over HTTPS requests, DNS over TLS requests use a distinct port that anyone at the network level can see and block.?

Using DoH means blocking all HTTPS traffic instead of just shutting off DNS requests coming through a specific port, which can be confusing.