Using DNS over TLS (DoT) and DNS over HTTPS (DoH) sounds similar but they are not interchangeable there are many differences between the two of them.
So we spoke to an expert on the two porting methods, Malcolm Murphy, Technical Director, EMEA at Infoblox to give us the breakdown of how they both work individually, their differences, the case uses for business, their wider integration on the internet and much more to dispel any confusion between the two.
Read below to gain a more granular insight on how both of them work.
Why do developers use DNS over TLS? Is it more Secure?
DNS over TLS (DoT) and DNS over HTTPS (DoH) both solve the ‘last mile’ security problem: DNS queries between the client and server are normally sent in plain text which opens up the possibility of eavesdropping.
For some, this may be considered a privacy issue and many public DNS services now support DoH and DoT enabling an individual who is concerned about this to switch DNS provider and protect their last mile. The trade-off is that they are now routing their DNS traffic through a third party. Each individual needs to determine if they think that is safer or riskier.
What’s the difference between the two different protocols?
Both protocols are live – Firefox now ships with DoH enabled in North America, and both Firefox and Chrome allow users to configure DoH. Plenty of public DNS providers and ISPs run DoT/DoH servers, and most DNS server software now supports DoT and DoH.
Although DoH and DoT achieve the same ‘last mile’ protection, they do it differently and this difference is important. DoT simply encrypts the DNS communication, whilst DoH tunnels DNS traffic in an HTTPS stream. This means that DoH could be used to hide malicious DNS traffic (e.g. malware and ransomware) from enterprise security controls. For example, recent versions of PsiXBot malware used DoH to encrypt malicious communications allowing it to hide in normal HTTPS traffic and install malware that can be used to compromise data or target victims through botnets.
Why are people confused about using DOH?
The use of DoH potentially introduces confusion in a DevOps world. If DNS traffic can be ‘silently’ redirected to a different server, this opens up the possibility that you’ll get a different answer in different cases, which could lead to some unexpected behavior from applications and would be a nightmare to debug.
What risks do companies have by not implementing it?
To my mind, the risks to the enterprise are clear. Companies should block DoH traffic between internal IP addresses and external DNS servers, resulting in employees being forced to use their company’s IT-managed DNS infrastructure and therefore making sure security policies are enforced. These should include blocking well known DoH servers
Does Infoblox offer any solutions to this?
BloxOne Threat Defense, a hybrid foundational security solution from Infoblox that uses DNS as the first line of defense, blocks resolution to DoH domains and facilitates a smooth fallback to existing internal DNS. This helps prevent DoH misuse and mitigates risk.
We are also adding support for DoT and DoH to an upcoming Network Identity Operating System (NIOS) release. This capability will allow customers to encrypt last-mile DNS communications between their endpoints and DNS servers regardless of which protocol the endpoint supports.
Do you have any further words to add about why DoH should be more implemented?
While solving the ‘last mile’ problem is crucial, we know it is important for IT managers to maintain visibility and control over their DNS traffic. The industry still has work to do to address these challenges and we will continue to develop new solutions to help IT managers and network administrators stay one step ahead of the latest security threats.”
