internet screen security protection
Photo by Pixabay on Pexels.com

There is a new buzz about DNS Over HTTPs. As you know with the multi-fold increase in threats on internet, there have been a continuous effort to secure DNS queries as well. Still most of the internet’s dns queries are sent in plain text and very less adoption of DNSSEC hence DNS over HTTPs was introduced in 2017. This new rfc will be based on the top of existing dns and https protocol.

Few of the providers have started to support this but this is still not in use by most of us. As it’s name implies all traffic will be sent with the https protocol basics.

Here is the rfc of dns over https to get into the detail of the protocol : https://tools.ietf.org/html/rfc8484

Here are some points to remember :

  • A server that supports this protocol is called “DoH server” to differentiate it from a “DNS server”.
  • The minimum version of HTTP used by DOH SHOULD be HTTP/2 [RFC7540].
  • Similarly, a client that supports this protocol is called a “DoH client”.
  • DoH proxy can be used on internal name servers if clients do not support DoH, Name server will receive regular dns queries but it will send them to internet using DoH proxy.
  • Such DNS Queries will have content-type of ‘application/dns-message’.
  • DNS API servers MUST implement both the POST and GET methods.
  • A DNS API client may utilize a hierarchy of caches that include both HTTP and DNS specific caches. HTTP cache entries may be bypassed with HTTP mechanisms such as the “Cache-Control no-cache” directive; however DNS caches do not have a similar mechanism.
  • DNS over HTTPs will use standard TCP 443 Port.

Windows 10 doesn’t support this as of now, but i hope this will be natively supported in future.

I will post more about dns over http as i read and test in LAB, I love to put screenshots of working scenarios for easy reference.

Thank you for reading !

Advertisements