Cloud Insidr

Cybersecurity in the Age of the Machine

Join us on Twitter: @CloudInsidr

Home Archives for Cloud Insidr
Symantec Code Signing (728*90)

Leave a Comment

DoH (DNS-over-HTTPS): How to move up to the next level of cyber security

Many government agencies–and huge corporations as well–have been hacked in the US, UK and elsewhere, but little to nothing has been done to fix it once and for all. Unfortunately, there is no single silver bullet you could shoot at the cyber security problem; therein lies the problem. And even if you were to find a solution, beware; it’s only of a time-limited value. To stay in the picture: you have to keep shooting your silver bullets, if you happen to have them.

In a nutshell: whatever solution you might find, it will always be of only a temporary nature. Cyber security threats are always evolving and they never stand still. ‘DNS-over-HTTPS’ is such a cyber security solution, designed by Internet Engineering Task Force, Google, Mozilla and others, which is definitely worth being implemented.

DNS requests: Relying on a classic plaintext UDP request instead of HTTPs

Actually, DoH comes as a surprise. After all, HTTPs delivers encrypted HTTP connections, so why bother to implement DoH? Well, DoH–a shorthand for DNS-over-HTTPS protocol (IETF RFC8484)–works by sending DNS requests via an encrypted HTTPS connection, instead of using a classic plaintext UDP request, as classic DNS implementations suggest.

However, there is more to it. DoH is not just encrypted, it works on the app level instead of the OS level. The idea behind DoH is to use DNS-over-HTTPS connections between an app (e.g. a browser or a mobile app and an encrypted  DoH-compatible DNS server–also called ‘resolver’).

The complete DoH-traffic is exclusively HTTPS, without any exceptions and that’s the beauty of the DoH concept.

All DoH domain name queries are encrypted and then camouflaged in regular web traffic, which is in turn sent to the DoH-DNS-resolver. The latter one then replies with a domain name’s IP address and this also implemented with HTTPS.

Don’t trust the Operating System

While open source operating systems like Linux, BSD, Solaris, etc. are designed to be highly secure, commercial off-the-shelf operating systems like Windows and macOS usually aren’t secure at all or are only partially secure. As a house owner you wouldn’t secure just the front and the garage door while keeping the side door insecure.

However, that’s how commercial operating systems nowadays work. Cyber security in commercial operating systems is only skin deep. Where no one is looking, it’s usually non-existent. As a result of the DoH-design, apps can re-gain privacy controls of DNS queries back from intentionally half-baked operating systems and are thus capable of hardwiring a list of trusted DNS-over-HTTPS servers (resolvers). While you might want to trust Google, Mozilla, and other cloud providers, you don’t have to. You can setup a list of your own trusted IPs with trustworthy resolvers.

DNS-over-HTTPS is gaining steam

The list of cyber security hacks sounds like the ‘who is who’ of IT companies and government agencies. Nobody can be sure to excluded from hacks, just because an government agency is too important or because a company is too big. Unfortunately it doesn’t work this way.

Comodo Elite SSL (OV) (728*90)