What is DoH & DoT? How does it work? How to configure DoH? How DoH plays important role in Application Security?
What is DoH & DoT and How does it work?
DoH (DNS-over-HTTPS)& DoT (DNS-over-TLS) is a relatively new web protocol. This is a recent invention. It was created a few years back and is proposed at Internet Engineering Task Force (IETF) last year.
More than 80% of the website uses Encryption in 2019 and the majority of the web browsing traffic may be encrypted but DNS traffic is almost never encrypted because the Majority of Companies are not aware of it. This means DNS is still susceptible to various attacks & Manipulation. As the DNS queries were made in the plain text from the App to the DNS server using the DNS setting of the local operating system received from its network provider.
So DoH and DoT are introduced to change this paradigm. DoH or DoT encrypts the queries which are disguised as regular HTTPS traffic. These DoH & DoT queries are sent to the special DoH- capable server called DNS Resolver. Which resolve the DNS query inside the DoH request and replies to the user in an encrypted manner.
DoH also prevents the ISP from viewing a user DNS request but now from tracking the user.
How to configure DoH or DoT?
There are the following ways by which we can easily configure the DoH or DoT to protect your application, that are:
Running DNS over HTTPS Client
There are several DNS over HTTPS clients available that you can use to connect to 1.1.1.1 in order to protect your DNS queries from privacy intrusion and Tempering.
Using DNS Wireformat
RFC1035 specifies the wire format for DNS messages. It also specifies DNS transport on UDP and TCP on port 53, which is still used today. We can send the queries to the DNS wireformat using POST or GET. To To send queries using DNS wire format, set the header ‘accept: application/dns-message’, or ‘content-type: application/dns-message’ if using POST to signalize the media type of the query.
Example request using Cloudflare:
The same DNS query for www.example.com, using the POST method would be:
:method = POST
:scheme = https
:authority = cloudflare-dns.com
:path = /dns-query
accept = application/dns-message
content-type = application/dns-message
content-length = 33<33 bytes represented by the following hex encoding>
00 00 01 00 00 01 00 00 00 00 00 00 03 77 77 77
07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
01Using JSON
DoH endpoints also support JSON Format for querying the DNS Data. JSON format query is sent using a GET request when making a request JSON query is encoded in the URL. An additional URL parameter of ‘CT’ should indicate the MIME type (application/DNS-JSON).
Conclusion
In this blog, we have looked at topics what is DNS-over-HTTPS or DNS-over-TLS, How to configure DoH and DoT and how it plays an important role in application security.
The primary benefit of DoH is that the protocol hides DNS requests and responses in the giant stream of HTTPS traffic that moves across the internet each second. This means third-party observers can’t look at DNS requests to guess what a user might be trying to access and also reduces the Man-In-The-Middle-attacks.
This design makes DoH a protocol useful for bypassing DNS-based blocklists, as there won’t be any DNS traffic to filter.
Mozilla has already rolled out support for the DoH protocol a few years back. Currently, enabling DoH support in Firefox is as easy as pushing a few buttons.
Soon we are expecting DNS-over-HTTPS measurement coverage to other parts of the world.
