Teacher
Professional
- Messages
- 2,670
- Reaction score
- 806
- Points
- 113

DNS over HTTPS (DNS-over-HTTPS, DoH) technology helps protect users from collecting data on websites and then selling them to advertisers. Confidentiality is achieved by encrypting the visitor's requests to the web resource. Let's understand the nuances of the technology and tell you how to properly configure DoH in the browser.
Introduction
Every day we visit various resources on the Internet related to education, professional information, entertainment, interests, goods and others. Requests to various resources can quite definitely identify a person, determine the scope and type of his activity, interests and desires. Not all users like that someone, be it a government, a provider, or a third party, can fully monitor their online behavior. Moreover, such information is sold to third parties who are engaged in targeted advertising, hence the annoying banners with information about your requests on various sites.
The DNS over HTTPS technology (hereinafter - DoH) is designed to ensure the anonymity of requests.
DNS and security threats
DNS is a service that helps users interact with sites on the Internet.
In the context of DNS queries and their possible abuse, there are two main threats to user security: tracking and spoofing.
Tracking was partly mentioned above: it is collecting information about user requests and selling it to third parties. Even if you use reliable DNS servers at home or work, in public places there is always the possibility of connecting to a wireless network with an insecure DNS server that will monitor all your requests and transfer them where you should not.
Spoofing is the implementation of a Man-in-the-Middle (MitM) attack. An attacker who sees your requests can spoof the response from the DNS server and direct you to a malicious or phishing site. If the user is not careful in such cases, it may end up installing various malicious programs on the computer and disclosing data (accounts, passwords, payment card data), which makes this threat especially dangerous. Part of the problem is solved by DNSSEC technology, which uses the principle of asymmetric public key encryption. All responses from the DNS server are digitally signed, anyone can verify the signature, and a secret key is used for signing.
What is DNS over HTTPS
In October 2018, the Internet Engineering Task Force (IETF) published RFC 8484, which described DoH technology. In it, DNS queries are performed using HTTPS technology. For exchange using this protocol, public and private key certificates must be installed. Data is encrypted with a private key and decrypted with a public one. The client and server exchange keys, after which all data is transmitted in encrypted form. Thus, when using this technology, your queries to the DNS server and responses from it will be transmitted in encrypted form.
DoH technology is used by popular browsers Chrome and Firefox, as well as public DNS servers from Google, Cloudflare, OpenDNS, etc.
It is worth noting that not all DNS requests from you will be encrypted. First, a request containing the resource name - SNI (Server Name Indicator) will be sent to the DNS server. SNI is used by the TLS encryption protocol to request a certificate for a specific resource, so that different sites can be hosted on the same IP address on the Internet. Accordingly, your ISP and routers along the path of the request will see it, but after the connection is established, everything will be encrypted. Thus, there remains the problem of expanding the resource name on the initial request.
To solve it, the Encrypted Server Name Indicator (ESNI) technology was developed. It is an extension of the TLS protocol that allows SNI to be encrypted with the public key of the DNS server. Using this technology can make it difficult to access some sites if the ISP uses a DPI filtering system as it checks the SNI and drops the request if the indicator is hidden.
How to set up DoH in your browser
The setup is very simple, we will give examples of its implementation in two popular browsers - Mozilla Firefox and Google Chrome.
Mozilla Firefox
If you are using Mozilla Firefox, go to "Settings", in the "General" section, scroll to "Network Settings" and click the "Configure" button, at the bottom, check the "Enable DNS over HTTPS" checkbox. By default, the Cloudflare server is used, if necessary, you can replace it with another one.
Google chrome
When working with Chrome, open "Settings", then - the "Security" tab in the "Privacy and Security" section. In the "Advanced" section, enable the "Use a secure DNS server" option. You can use DoH with the DNS server of an existing service provider, choose an out-of-the-box option from a list of recommended ones, or specify a different server.
DoH abuse
Antiviruses, intrusion detection and prevention systems are used to protect the information infrastructure of companies and departments. These security tools use signature analysis of malicious activity. When processing network traffic, in particular, the body of the data packet is checked. Security tools compare requests, commands, paths, and other information in a network packet with their signature base, and if a match is found, a blocking occurs.
Malicious programs are now emerging that abuse DoH, using this technology to establish an encrypted connection between an infected computer and a command and control server (C&C). Requests and responses will be encrypted, so it will not be possible to detect and block malicious activity using the described information protection tools. Therefore, DoH abuse is a very attractive opportunity for attackers.
Restricting the use of DoH technology
Many information security organizations collect events from their DNS servers to monitor malicious activity. Using DNS queries, you can determine targeted attacks on information systems, as well as identify the infection of computers with malware. Correlation rules for SIEM systems are also created on their basis.... Therefore, using DoH makes it very difficult to monitor malicious activity. To solve the problem, "canary" (validation) domains were invented. To disable DoH, you need to add an entry with such a domain to the local DNS server. For example, Firefox checks the name "use-application-dns.net", and if the DNS server fails to request that name, the browser will use DoH. Otherwise, information about such a domain will be received and DoH will not be used.
In addition, in popular DNS servers, the parental control function is implemented (limiting resources that are undesirable for children); accordingly, when using DoH, its work will be incorrect. This problem is also solved with the help of "canary" domains, but the names will be requested from public servers. Information about which names are used to disable DoH when using a particular service is not disclosed.
Conclusions
DoH technology is useful and deserves widespread use. You can increase your anonymity and security by performing a simple browser setup. DoH is supported by popular browsers and DNS servers. Now, when almost three years have passed since the creation of the technology, the user will not feel any difficulties in using it. It is worth noting, however, that periodically there are news about the possible prohibition of technologies that use cryptographic algorithms to hide the names of the requested resources, which cannot but worry IT professionals.
(c) https://www.anti-malware.ru/analytics/Technology_Analysis/How-to-set-up-DNS-over-HTTPS