From LinuxReviews
Jump to navigationJump to search

DNS over HTTPS (DoH) is a protocol for doing domain name (DNS) lookups via the HTTPS protocol. The supposed goal of doing DNS queries this way is to increase end-users privacy and security by removing men-in-the-middle's ability to eavesdrop on and manipulate DNS data. DoH shifts the point of attack from anyone between clients and the DNS resolvers responsible domains that are queried to the two large multinational corporations who run DoH servers: Cloudflare and Google. DoH creates central points of attacks where large amounts of DNS data from a vast amount of people can be stored and monitored.

States Purpose and he Actual Attack Vectors

The Internet uses IP addresses to identify computers. Domain names turn those IPs into names that are easier to remember. You can type linuxreviews.org into a web browsers address bar and magic behind the scenes turn that into a IP address. The web browser goes to that address and fetches the page. The DNS lookup will typically go to the Internet Service Provider who hands connected clients a few DNS servers along with a IP address when the client connects and makes a DHCP requests. Most people use these default ISP servers. The ISPs can and many do censor certain domain names. They do, in effect, have the power to say "linuxreviews.org? We don't like that one, you can't have that name resolved". They can also log all the DNS queries that are made.

Your ISPs domain servers are, of course, not responsible for linuxreviews.org. They will contact .org and ask is when you make a query (unless they have it cached). They then contact one of our nameservers and ask that to turn the domain name into a IP. The ISP will then turn around and feed that information to the computer who asked - or not.

The ISP is, in effect, a man-in-the-middle who can do man-in-the-middle attacks. ISPs can also very quietly log all the DNS queries that are made. It is possible to by-pass the ISPs nameserver by setting up your own caching nameserver on your local network using Unbound. Most of our readers will do something like that. The vast majority of people out there won't. And it's only a measure which makes it harder to log all your DNS queries. Your ISP is in a position where they see all your traffic anyway which means that they could log all traffic to and from your assigned IP. It's just harder than collecting all the customers DNS queries from a pair of central DNS servers and it also much less likely that they would target a individual customers uplink.

Domain over HTTPS "fixes" the problem of ISPs being in the middle by.. placing Google or Cloudflare in the middle. Those are, as of December 2019, the alternatives. Others could set DoH servers up but it wouldn't make much of a difference in the grand scheme of things. Mozilla Firefox uses Cloudflares servers by default. Google Chrome will much likely use Google's DoH servers as it's default when Google adds DoH to their browser. That's a lot of user-data given to two companies who already have a whole lot of user-data.


Several web browser vendors are pushing DNS over HTTPS as a default.

Mozilla Firefox

Mozilla Firefox has made DNS over HTTPS default for all users. This change was silently made around September 2019. It is possible to check what it's doing by going to Preferences where Network Settings is at the very bottom of the General section. Clicking Settings below the Network Settings headline opens up a dialog box for Connection Settings which was historically used to configure proxy settings. The very bottom of that page has a checkbox [ ] Enable DNS over HTTPS. Enabling it allows you to either choose Cloudflare, which is the default, or a "Custom". Un-checking the box disables DNS over HTTPS.

It is also possible to change Firefox's DoH settings in it's about:config settings-value editor (type it into the URL bar). The setting to look for is network.tr.mode which can have the values 5=disabled, 3=DoH only, regular DNS is disabled, 2=Use DOH and regular DNS as fallback and 1=DoH can be used and Firefox decides it it will be used on a per-site basis. That's quite a few more options than the Connection Settings offer. The service used for DoH is stored in network.trr.uri which defaults to https://mozilla.cloudflare-dns.com/dns-query.

OpenBSD and most GNU/Linux distributions like Fedora ship their own default Firefox configuration. In Fedoras case it's defined in


and that file contains

/* Disable DoH by default */
pref("network.trr.mode",                    5);

Users of Windows will have DoH enabled by default and so will users of some other GNU/Linux distributions. OpenBSDs default is to disable DoH.

Google Chrome / Chromium

Google started enabling DNS over HTTPS for "a small percentage of users" in Chrome 79. It is unclear what that really means. It does indicate that Google will enable it for everyone at a later date. It makes total sense from a business perspective, that's quite a lot of very lucrative user-data.

Final Thoughts

The promise of end-user privacy by enabling DNS over HTTPS for everyone in major web browsers seems dubious. It simply shifts the position an eavesdropper needs to be in from many small and large ISPs around the globe to just two multinational corporations well known for their cooperation with state actors, and not necessarily benign ones.

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.