Tag Archives: DNS over HTTPS

Securing DNS

Most people don’t know what DNS is, but it is almost as old as the Internet and you use it hundreds of times a day, probably thousands of times a day.

Every time you check for new email on your phone or browse to a web site, you are using DNS.  The Internet uses numeric addresses called IP addresses to route requests, but you use names like ESPN.Com, Foxnews.com and Facebook.com.  DNS is what translates Facebook.com to (IPv4) or 2a03:2880:f003:c07:face:b00c::2 (IPv6).

Virtually all of your communications on the Internet these days are encrypted.  Except for DNS.  That means that anyone listening on your connection can see what web sites you are visiting and, if they are  malicious, route you to an alternative, malicious site.  That is because DNS traffic is not encrypted.

Until now.

There was an experiment called DNSCrypt that encrypted your DNS traffic, but it required that you install and configure software.  It never gained any traction.

After that came (of course) two competing standards, one called DNS over TLS and the other called DNS over HTTPS.    It looks like DNS over HTTPS won.

It does require that you turn it on in your browser, but beyond that, nothing is required.  That will probably change in the future to be the default.

In England, the Internet Service Provider Association named Firefox and Google villains of the year for encrypting your DNS traffic and GCHQ (their version of NSA) wasn’t thrilled either.  Probably a great reason to do it all by itself.

Firefox is the first to do it.  In Firefox, it is a bit confusing, but here is a ZDNet article on how to do it.

1. Type about:preferences in the address bar

2. scroll down to network settings and click on settings

3. click on enable DNS over HTTPS

4. Click OK.

You can change the default provider, but you don’t have to.

That’s pretty simple.  That is all it takes.

Now all of your DNS requests are private and cannot be spoofed by your local coffee shop WiFi.

Chrome is a little behind, but it should be there in a couple of months and since Microsoft Edge is really Chrome with a different decal, it will likely show up there too.

Having someone listen in on your browsing is maybe a problem if you care about your privacy.

Having someone redirect your browser to a malicious version of the web site you want to go to and steal your password or install malware.  That is a legitimate problem.

One more security/privacy thing that you should enable and it doesn’t cost anything.


Mozilla (Firefox) Named Internet Villain for Supporting Privacy

Okay, this is going to take a little bit of explaining so bear with me, but it is important.

Everyone knows about the padlock in their browser with says that the traffic to that web site is encrypted using Secure Sockets Layer (SSL) encryption, which has now been upgraded to Transport Layer Security (TLS).  The differences between SSL and TLS are technical and not relevant to this conversation.  This keeps the actual data that you send and receive private (mostly).

But there is one big hole that allows ISPs to track you (and sell your data) as well as the government to see who is going where and that is Domain Name Service (DNS).  DNS is the technology that translates the name you put in your browser  www.ThisIsACoolSite.com) into the numbers that the Internet actually uses (123.45.670.02).  DNS traffic, up until now, has not been encrypted.

Now both Google (Chrome) and Mozilla (Firefox) are testing DNS over HTTPS or DoH and both will be incorporating them into their browsers by default.  Mozilla is a little bit ahead of Google, but not by much.

The UK Internet Service Providers trade group gave Mozilla (but not Google – why?) the title of Internet villain for protecting people’s privacy.  Why?  Because it makes it tougher for them to spy on users.

It is important to understand that even with DoH the actual IP address of the web site that you visit will be visible to your ISP, so don’t go too crazy, but if the web server hosts hundreds of websites, like many do, some of the detailed data will be invisible to your ISP and the government, protecting your privacy a little bit and annoying your ISP and the government equally.

Interestingly, the US government, which usually whines loudly about anything that reduces their spying ability hasn’t said anything.  They still have time.  They probably will want to do something like China has done, which is to install spyware on everyone’s phones so that they can get your data directly.  Not here.  Yet.

The other thing about DoH is that it works at the app level, so even if the operating system doesn’t support DoH, as long as you have a current browser, you are protected.

The UK’s nanny state is worried that their system for blocking you from visiting sites that you want to visit but they don’t want you to visit won’t work any more.

In fact, in the UK but not in the US (yet) there is a law that requires ISPs to block sites the government says are bad (what could go wrong with that?)  This may make that hard or impossible to do, but my guess is that the government can’t force ISPs to do something that is technically impossible for them to do.  I suppose, it could ban Chrome and Firefox or make them create a crippled version for UK users (remember the crypto wars from the 1990s where the US government forced software makers to release crippled versions of their software if they made their software available internationally?  We are still dealing with the fallout from that, 25 years later).

At least GCHQ (the UK’s version of the NSA) is being honest about it.  They say is will impede their ability to spy on people.

Stay tuned, this war is not over yet.  No government likes it when their ability to spy on their citizens is reduced.

Source: ZDNet.