Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about what is DNS over HTTPS. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

The technology of DNS over HTTPS was mentioned in the news just now. First of all, we need to understand some problems existing in traditional DNS.

Security flaws of DNS

The full name of DNS is Domain Name System. In today's Internet protocols, it is a system where a domain name corresponds to IP. When we access an address through a domain name, we need to query DNS to obtain the real IP address of the domain name. For example, when visiting our website, the browser will send a request to the DNS server specified by the system and ask the DNS server to return the real IP address of the domain name.

The traditional DNS method is to send plaintext request information to the DNS server through port 53. If intended, ISP can easily hijack the request between the user and the DNS server. Because the traditional DNS request is based on the connectionless UDP protocol, the client only accepts the fastest query results, so ISP can return the wrong IP to the user by preemptive reply, which is called domain name hijacking. This is a typical flaw of the DNS protocol.

Generally speaking, after completing the PPPoE authentication of ISP and connecting to the Internet, ISP will provide the IP of two DNS servers. These two DNS servers are typical DNS cache servers, which cache the domain name-IP corresponding information that users have requested through it. This kind of server is called non-authoritative domain name server. It returns cached IP information to users, among which there may be domain name-IP pairs that have been maliciously tampered with. All users using this cache server will get the wrong result when querying a specific domain name, which is cache poisoning.

These are just two common DNS protocol design flaws, which mainly exist in security. With these defects, ISP can insert advertisements on web pages through domain name hijacking, and attackers can cheat users by DNS to direct network requests sent by users to fake servers to obtain user data. Another drawback of the DNS protocol is that it is transmitted in clear text. As long as those who are willing to listen to your port 53, they can easily know which websites you have visited.

However, DNS protocol, as one of the cornerstones of the Internet, can not be easily replaced by a new protocol. It can only be protected outside the DNS protocol by other means to improve its security and privacy. Starting from this idea, people have put forward several schemes, the first is the DNSSEC proposed in 1997.

From DNSSEC to DNS over HTTPS

DNSSEC, which has been available for a long time but is not fully popularized.

DNSSEC introduces a digital signature verification mechanism for the original DNS protocol, which adds a digital signature to the header of the DNS request packet to ensure the correctness of the DNS query results through the modern digital certificate verification system, or to ensure the integrity of the DNS query results in terms of information security.

DNSSEC proposed in 1997, the development has been very mature, many public domain name servers support it. But DNSSEC only solves the security problem of the DNS protocol, it does not encrypt the content of the DNS query, and it is still easy for others to see the website you visit.

There is no standardized DNSCrypt

As a result, new contestants came forward. This time the person on stage is DNSCrypt, with Crypt in his name, then it must be encrypted. Yes, it encrypts the DNS query process completely, so that there is no problem with the query results, and others can not see what domain name you have queried.

But the problem is that DNSCrypt does not have a standardized process, which makes it unable to be widely used on the Internet.

DNS over TLS and DNS over HTTPS

Neither of the first two contestants won a complete victory in the challenge, so a new contestant stepped into the ring, and this time the two brothers looked very much alike. DNS over TLS (DoT) uses the TLS protocol to ensure the integrity and confidentiality of the DNS query process, while DNS over HTTPS (DoH) communicates using the HTTPS protocol, which has one more layer of HTTP protocol than its brother DoT.

The DoT standard was officially released in 2016, while the DoH standard was officially written in October 2018, but the latter is far more accepted than the former. Why? It's still a compatibility issue.

DoH is based on HTTP and is much more convenient to use than DoT based on bare-sleeve TLS. Compared with DoT, all major systems and browsers can easily integrate DoH. And the speed of public DNS supporting DoH is also very fast. Now all the foreign DNS that we can think of basically support DoH, and it has a tendency to become an updated version of the old DNS protocol.

Browsers and DNS servers that currently support DoH

browser

Firefox

Chrome

As the main promoters of the DoH standard, Mozila and Google soon added support for DoH in their browsers. Now there are many tutorials that open DoH in these two browsers, so I won't repeat them here.

Public DNS server

If you want to use DoH,DNS server support is certainly necessary, and for reasons of interest, the domestic ISP DNS will not support for a short time, and like several large DNS servers in a short time is also very difficult to add DoH support, can only look at foreign countries.

1.1.1.1

This is the public DNS provided by Cloudflare, the world's largest CDN service provider, and it is quite easy to remember.

8.8.8.8

Google public DNS, which has been contaminated for a long time, can finally be used under DoH.

Summary

DNS over HTTPS can be said to be the most promising successor to the DNS protocol, and it has been fully supported by several software giants and domain name providers. If you have suffered from DNS contamination or fraud for a long time, and the effect is not obvious after switching to other public DNS, you can try to use DNS over HTTPS to get a better web surfing experience. For users who are very concerned about their privacy, DNS over HTTPS is an indispensable technology to help you better protect your privacy from others.

The above is the editor for you to share what is DNS over HTTPS, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.