DNS over HTTPS (Your Handy Guide)

Up until now, your DNS requests were not normally encrypted. They use the TCP protocol, so they’re in plaintext (AKA readable format). Any entity that handles the IP matchmaking process could retrieve those requests and analyze them. 

That pretty much is fancy talk for saying your ISP or a third party DNS server could see what you browse online.

For DNS over HTTPS to work, two things are needed:

1. An application that supports DoH (many browsers now offer that).
2. A DNS server that supports encrypted DNS traffic (called a DoH resolver). OpenDNS and Google Public DNS are good examples. So is any VPN DNS server that supports DoH.

It Keeps You Safe from MITM Attacks

A MITM (Man-in-the-Middle) attack is when a hacker positions themselves between you and the website or device you’re trying to communicate with. They then try to intercept any data that is shared between you and said site/device.

When it comes to DNS, many cybercriminals use DNS spoofing, DNS poisoning, and DNS hijacking as a way to steal sensitive financial and personal information. They abuse the unsecured nature of normal DNS traffic to redirect you to phishing websites.

Well, DNS over HTTPS protects you from those threats by encrypting all your DNS queries. That way, hackers will have a much more difficult time eavesdropping on them.

DoH Hides Your DNS Traffic from ISPs (To a Certain Extent)

Since DoH encrypts your DNS queries, your ISP can’t see what websites you browse anymore. Don’t forget – DNS queries are the connection requests you send to websites. It’s a nice way to make sure they don’t snoop on your private browsing or sell your data to advertisers.

Now, the article we linked at the start of this section does say that DoH doesn’t offer complete protection from ISP monitoring. 

And we tend to agree. After all, ISPs can tell what web pages you’re browsing even if you use HTTPS by just analyzing the destination, timing, and size of your data packets. Also, DoH won’t really help you if you browse HTTP websites since the requests are unencrypted and ISPs can see the URLs.

Plus, your ISP can monitor other stuff – like SNI fields and OSCP connections. What’s more, they can see the IP address you’re connecting to anyway.

But here’s the thing – despite all that, ISPs are still really worried about DNS over HTTPS. Some of them even went as far as calling Mozilla an “Internet villain” for supporting it. And others even tried to lobby against it with misleading documents.

So, DoH is definitely doing something right for user privacy if it’s got ISPs so riled up. 

And if you use DoH together with a VPN, you’ll have even better odds of hiding your browsing from your ISP.

It Helps You Bypass DNS Filtering at Work and School

Many businesses are worried that DNS over HTTPS will allow employees to bypass website blocklists. Basically, some companies use DNS filtering (local DNS servers and DNS-based software) to block access to certain websites – either non-work related platforms (like Twitter and Facebook) or malicious sites.

Well, DoH can actually overwrite centrally-imposed DNS settings. That means you can use it to get around unfair restrictions – like not being able to listen to your favorite songs on YouTube while you work, or watch an episode of a hit series on Netflix during your lunch break.

And employees aren’t the only people who get to enjoy this perk. If you’re a student and you have to deal with DNS filtering on the school/university network, DoH will help you bypass it too.

Isn’t DNS over TLS (DoT) a Better Option?

Some security experts claim that DoT is much better than DoH since it fully encrypts the DNS traffic instead of just “hiding” it in HTTPS traffic like DoH.

However, if you check out most articles on this topic, you’ll see many of those experts prefer DoT because it’s more convenient for enterprises to use it. Basically, it’s easier to implement since it works on existing network infrastructure, and it offers better DNS filtering.

But if you’re a regular Internet user, there’s not much incentive to use DoT instead of DoH. Here’s why:

• It needs constant patches to offer complete security. That’s not exactly something you can (or would want to) handle.
• DoT uses a dedicated port – 853. Even though it encrypts DNS traffic, anyone can spot DoT due to that port. DoH, on the other hand, uses port 443 (the HTTPS port), making it much harder to notice. Port 853 can actually be blocked since it only handles DoT. Nobody can block port 443, however, since that would mean blocking all HTTPS traffic.
• While DoT protects against MITM attacks, users need to empty the cache data from the server for it to be very effective. DoH offers much more straightforward security.

DoH vs. VPN – What’s the Best Way to Protect Your Privacy?

If you use DNS over HTTPS, there’s no reason to use a VPN, right? Pretty much all browsers support DoH, so you’re good to go.

Not so fast.

True, DoH can secure your DNS requests, but like we already mentioned, it can’t really encrypt all your Internet traffic. Not to mention it doesn’t hide your IP address, nor does it hide the IP addresses you connect to.

That’s where a VPN comes into play. It’s an online service that hides your IP address and encrypts all your Internet traffic end-to-end. What’s more, when you use a VPN to browse the web, your ISP will only be able to see the IP address of the VPN server you’re using. They won’t see the IP addresses of the sites you browse.

Also, consider this – DoH can help you get around DNS filtering at work or school, but what if they’ll just start using firewalls instead? They restrict your access based on your IP address, so DoH can’t help you there. But a VPN can since it replaces your IP address with a new one that doesn’t have any firewall restrictions linked to it.

All in all, it’s a good idea to use the two together if you really value your privacy and want to enjoy a truly unrestricted online experience. Just make sure you pick a VPN that supports DoH.

The Bottom Line

DNS over HTTPS (DoH) is a pretty new Internet protocol that helps you secure your DNS queries when you browse the web. Basically, it blends them into HTTPS traffic, offering them a layer of encryption they didn’t have before.While DoH is useful, it does have a few drawbacks. To get the best security, you should use it together with a VPN that supports DoH.