Should you trust DoH to replace a VPN for secure and private browsing?

ChatMail   |   February 1, 2022

Should you trust DoH to replace a VPN for secure and private browsing?

Hypertext Transfer Protocol Secure is the communications protocol for moving data across a secure internet connection. The word “secure” in HTTPS implies the site has a Secure Sockets Layer Certificate. Transport Layer Security evolved from SSL. TLS is its widely adopted successor. SSL/TLS certification and an HTTPS address in the Uniform Resource Locator, identified by the tiny padlock symbol in the URL, used to be touted as proof your data would be relayed in encrypted packets as it crossed through a website’s server from your browser.

Unfortunately, domains can’t be trusted. SSL/TLS certificates can be obtained in many ways, including OpenSSL, where the creator is the certificate authority. Fake certificates have been used for years and government cybercrime fighting agencies warn not to rely on the lock icon or https:// at the front of the domain name as any assurance. Due diligence, they say, is required—though little guidance is provided. You can check for things like whether a site that is supposed to be .gov is .com instead and to watch for misspellings or extra words in the domain name. Essentially, they’re saying browse at your own risk.

Domain Name System is a key mechanism for accessing sites and services on the internet. All devices online (from smartphones to servers) have an Internet Protocol address, the numbers that let you make internet connections. Every URL on the internet has a unique IP address assigned to it. Think of DNS like a phonebook for the internet. Many people prefer to have an unlisted phone number to avoid getting unsolicited phone calls. Similarly, your IP address should be private online.

Browsing Privacy Issues

A DNS query (also known as a DNS resolver) is used to request DNS servers to handle name lookups. DNS servers (or name servers) are used to resolve Fully Qualified Domain Names. Computers and mobile devices have DNS clients built-in to allow web browsers to communicate with DNS servers.

Internet web pages are accessed using FQDNs in the URL—the addresses you type into a browser. When a DNS client needs to find the IP Address of a computer, known by its FQDN, it sends a request to a DNS server to get one, thereby resolving the query.

The problem with regular DNS is it is unencrypted, which means even when you are visiting sites with connection security your data is vulnerable through DNS Hijacking. This leaves your online presence exposed, putting your privacy and security at risk.

With unencrypted DNS it is easy to eavesdrop or manipulate the queries and responses between your device and the resolver. This may include routing you to phishing, malware, or surveillance sites, through cache poisoning, or DNS Spoofing by Distributed Denial of Service or Man-in-the-Middle attacks.

How VPNs Work

Virtual Private Networks have long been the prevailing way to add a measure of security to online activity. VPNs are software tools to hide your IP address and browsing activity while encrypting internet data and removing restrictions on any Wi-Fi network. VPNs are illegal in some countries with strict laws banning encryption. Not all VPNs are created equal.

With more people working from home, performance issues are common, slowing VPN connections. As is the case with most free apps, a free VPN can’t be trusted for security. While VPNs and DNS have some overlap with each other you don’t need to use a VPN to browse the web, however you cannot access the internet without DNS.

What is DoH?

DNS over HTTPS, a protocol with the acronym DoH is a relatively new solution. The protocol changes how DNS works by encrypting queries, hiding them as normal HTTPS movement. DoH champions claim it averts eavesdropping and prevents DNS data manipulated man-in-the-middle attacks. It has been getting mixed reviews over the last few years. Some see it as the next gold standard to replace VPN. Others say it causes more problems than it solves.

Proponents say DoH prevents Internet Service Providers from viewing a user's visits to secure sites. Privacy is assured with DoH because it makes an encrypted connection to your DNS server and handles the request and response over that secure link. Anyone in between won’t be able to see which site you looked up or tamper with the response to your query, provided the ISP and DNS Servers supports DoH.

Critics note it doesn’t prevent traffic from being tracked by ISPs on regular HTTP sites. Experts say you can’t hide IP addresses from ISPs. “Knowing the final IP destination reveals to what website a user is connecting, even if everything about his traffic is encrypted.”

Champions of DoH

Android, Google, CloudFlare and Mozilla have been at the vanguard of implementation with the technology, which provides private and secure encrypted solutions to navigate the internet. Since the majority of public resolvers are American giants, the EU wants its own DNS infrastructure to support the General Data Protection Regulation.

Microsoft supports DoH on Windows Server 2022 and Windows 11. Microsoft Edge Chromium had performance issues after launching in 2020 resulting in it being briefly disabled in early 2021.

Mozilla has rolled out DoH on Firefox in the US and Canada, although users can remove DoH in their settings. Anyone can download DoH for Firefox worldwide.

Firefox lists pros and cons for users on the Mozilla support page so they can choose whether they want it turned on or off.

Benefits: “DoH improves privacy by hiding domain name lookups from someone lurking on public WiFi, your ISP, or anyone else on your local network. DoH, when enabled, ensures that your ISP cannot collect and sell personal information related to your browsing behavior.”

Risks: “Some individuals and organizations rely on DNS to block malware, enable parental controls, or filter your browser’s access to websites. When enabled, DoH bypasses your local DNS resolver and defeats these special policies. When enabling DoH by default for users, Firefox allows users (via settings) and organizations (via enterprise policies and a canary domain lookup) to disable DoH when it interferes with a preferred policy.”

The Changing Landscape

An alternative to DoH is the DNS over TLS protocol. DoT is a similar standard for encrypting DNS queries, with the main difference being how encryption is used and delivery. While these protocols still experience growing pains, most enterprise organizations are adopting a wait and see approach, while others are juggling how to plan ahead to incorporate DoH into their DNS service, while developing strategies to stop it in its tracks.

While individuals don’t need VPNs today, they still have their place in many enterprise businesses and won’t be going anywhere anytime soon.

Utilizing DoH you can improve privacy and security for your system, enhancing filtering by using your organizations existing infrastructure and reducing observability.