(8 votes, average: 4.38 out of 5)

December 27, 2018 10

What is the difference between DNS over TLS & DNS over HTTPS?

in Everything Encryption

While they sound like the same thing, there’s one major difference and it’s causing a heated debate.

DNS over TLS (DoT) and DNS over HTTPS (DoH) sound like they would be interchangeable terms for the same thing. And they do actually accomplish the same thing – encrypting DNS requests – but there’s one big difference: the port they use.

And while it may seem silly for something that sounds so simple to have created two totally divided camps with deeply entrenched beliefs about which is better–the stakes are high. One side is more socially conscious, more user-oriented, their primary interest is privacy and human rights. On the other side is a more pragmatic group that even includes one of the architects of DNS, who make the case that network admins need to be able to see and analyze DNS activity.

There’s a lot to unpack here, but it’s worth delving into the details to give you a better idea about the difference between DNS over TLS & DNS over HTTPS—and why this is an important discussion.

So without first ado, let’s hash it out…

What is DNS? Why does it need TLS or HTTPS?

DNS stands for Domain Name System. The best comparison, and also the most cliché, is that of a phone book. When most people surf the web, they don’t type in the actual IP address—they input the Uniform Resource Locator (URL). The DNS server takes that URL and finds the IP address it resolves to.

For instance, when you want to visit The SSL Store, you type in thesslstore.com, the DNS server will take that URL and find the IP address associated with it, in our case it’s 107.23.230.173. But asking people to remember that would be pointless, hence the ubiquity of the URL (which Google is trying to kill).

If you ever want to find the IP address of a website you’re visiting, it’s easy on both Windows and Mac. Windows users simply need to type “cmd” into the search bar and open the Command Prompt, then type:

tracert anydomain.com

It’s a little easier for Apple users, and a bit more elegant, too. In your Mac’s search bar, type “Network Utility” and click to open it. Then navigate to the Traceroute tab and enter the domain name in the trace field. Easy.

Historically, DNS requests have been made using the UDP or TCP protocols—meaning that they’re sent in plaintext.

And as we’ll discuss, that can be a problem.

Why do we need to encrypt DNS requests?

If you’re living in the US, the UK or Australia, as the majority of our readers are, it’s easy to take for granted the rights and freedoms that we enjoy. In the greater scheme of things, our privacy concerns are pretty trivial. I found out last week that I was one of the lucky 50-million or so people that had their Facebook data compromised.

And while that’s supremely annoying, it’s what we would mockingly refer to as a first-world problem. Though there are a few terrifying outliers, the worst that’s going to happen to most of us is identity theft. And that’s no laughing matter, but it’s also not a threat to your life or liberty. Outside of kiddie porn and snuff, there’s nothing you can’t access in the US, the UK and much of the western world.

That couldn’t be less true for other parts of the world. China has a notoriously restricted internet (one that Google is currently developing a clandestine censored search engine for).

Russia, North Korea, Iran, Saudi Arabia – just to name a few of the larger countries – are among dozens of nations that restrict their citizens’ use of the internet.

According to Freedom House, less than one quarter of the world’s internet users live in a country where the internet is designated as Free. That’s free in terms of rights and liberties–not price. 36% percent of internet users live in a country where the internet is fully restricted and another 28% live in a country where the internet is partially restricted.

Heck, a couple weeks ago the entire country of Ethiopia had its internet access turned off to try to quell what looked like, at the time, a potential military coup.

And when your internet history can result in you being extra-judicially detained, or harmed or even killed—being able to obfuscate those DNS requests can be a matter of life or death. That may seem hyperbolic, but it doesn’t take a whole lot of research to turn up what can befall regular people who get labeled dissidents based on their internet usage.

That’s why, to some parties involved in this debate, this is a human rights issue—one that can stir up considerable emotion.

Nobody is arguing that DNS requests shouldn’t be encrypted, the argument is over how best to do it.

Ok, so what’s the difference between DNS over TLS & DNS over HTTPS?

While both of these standards encrypt DNS requests, there are some important differences between DNS over TLS vs DNS over HTTPS. The IETF has defined DNS over HTTPS as RFC 8484 and it’s defined DNS over TLS as RFC 7858 and RFC 8310.

DNS over TLS uses TCP as the basic connection protocol and layers over TLS encryption and authentication. DNS over HTTPS uses HTTPS and HTTP/2 to make the connection.

This is an important distinction because it affects what port is used. DNS over TLS has its own port, Port 853. DNS over HTTPS uses Port 443, which is the standard port for HTTPS traffic.

While having a dedicated port sounds like it would be an advantage, in certain contexts it’s actually quite the opposite. While DNS over HTTPS requests can hide in the rest of the encrypted traffic, DNS over TLS requests all use a distinct port where anyone at the network level can easily see them and even block them.

Granted, the request itself – its content or response – is encrypted. So you wouldn’t know what was being requested, but they’d know you were using DNS over TLS. And at the very least that’s going to raise suspicions. It’s kind of like taking the fifth in the US. It just lends itself to the perception you have something to hide and in a lot of countries that’s not a good perception to have about you.

The case for DNS over TLS

Paul Vixie is one of the architects of DNS. And given the subject, his opinion bears considerable weight. Over the weekend he responded to Nick Sullivan, the head of crypto at Cloudflare’s Twitter announcement about RFC 8484 (DNS over HTTPS) by voicing his opposition:

RFC 8484 is a cluster duck for internet security. Sorry to rain on your parade. The inmates have taken over the asylum.

Personally, in the duck department I’m partial toward the Mallard, but, at any rate, Vixie’s opposition is made less from the perspective of a conscientious human rights activist and more from the standpoint of a seasoned security veteran. Those same human rights drawbacks, the ability to identify DoT requests – are also a boon to security.

It’s not unlike HTTPS inspection. On its face, the idea of interrupting an HTTPS connection sounds like a bad idea, and there’s certainly a segment of the infosec community that has a singular focus on security and argues that the practice weakens encryption. But there are also enterprise network admins and security officers that would be loathe to give up the ability to inspect their traffic. Losing that visibility is part of what led to the Equifax breach. Attackers love to hide in encrypted traffic, a point reiterated by the recent Magecart attacks.

DNS over TLS has more nuance, which is useful from a network health standpoint. DNS over HTTPS on the other hand…

DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH,” tweeted Vixie.

Vixie argues that DNS over HTTPS removes a key distinguisher that assists in traffic inspection. It also makes blocking other websites more difficult because instead of just shutting off the DNS requests coming through a specific port you have to block all of the HTTPS traffic which can lead to all kinds of headaches.

That’s a good thing from a human right’s standpoint and bad thing from a network security one.

What’s the better standard, DNS over HTTPS or DNS over TLS?

That’s what all of this debate is trying to decide! There are legitimately valid arguments on both sides. What’s not helpful are ad-hominem attacks that distract from an otherwise worthy conversation.

Given the fact this is a human rights issue emotions are bound to flare, but it’s important to remember the side advocating for DNS over TLS, which favors a network security approach but potentially opens up some privacy concerns don’t hold that position because they’re cold or lack empathy, they’re just viewing this from a different perspective.

Sometimes what’s best from a qualitative standpoint, and what’s best from a human rights or even a morality standpoint don’t align. To many in the DNS over TLS camp, this has nothing to do with real-world privacy issues and everything to do with the fact they see DNS over HTTPS as an inferior standard to DNS over TLS.

This isn’t about working in deference to a social conscience to them, it’s about designing a standard that is the most efficient.

Nobody is fighting against privacy, even if not everyone is fighting for the same thing.

We’ll keep updating you on this as more develops.

As always, leave any comments or questions below…

Phil says:

October 29, 2018 at 10:24 am

Just heard Paul Vixie give a talk at the Wild West Hackin Fest in Deadwood, SD last Friday, he elaborated on some of these comments. Videos of the talk should be out soon.

Riyan says:

January 11, 2019 at 9:31 am

The IETF has defined DNS over HTTPS as RFC 8484 and it’s defined HTTPS over TLS as RFC 7858 and RFC 8310.

Seems there’s a typo. Did you mean DNS over TLS?

- Patrick Nohe says:
  
  January 11, 2019 at 10:42 am
  
  Thanks for catching that, it’s been corrected.
  
- matthieu_rx says:
  
  February 4, 2019 at 12:45 pm
  
  HTTPS over TLS makes no sense. In fact HTTPS is an applicative layer protocol that uses HTTP and add an encryption though the TLS (Transport Layer Seucrity) protocol. I might say something wrong but i’m pretty sure that the current HTTP/2 uses TLS 1.2 (most of the time) even though TLS 1.3 was released few months ago. So as you said it’s DNS over TLS or DNS over HTTPS.
  
Robert Reid says:

January 25, 2019 at 3:42 pm

The IETF has defined DNS over HTTPS as RFC 8484 and it’s defined HTTPS over TLS as RFC 7858 and RFC 8310. Seems there’s a typo. Did you mean DNS over TLS?

Seems like a typo? WE ALL KNOW IT WAS. Annoying jackass.

Craig says:

February 19, 2019 at 5:33 pm

VPNs are already here operating over 443, so it seems the cat is already out of the bag as far blocking DNS traffic or just monitoring DNS traffic on a statistical level. DoH is also already here – it seems customers and DNS providers want it, it is a de-facto standard.
If a network manager wants to constrain untrusted users, they’ll have to work out something permitting a “trusted” man-in-the-middle to examine/record all 443 traffic.

badbanana says:

May 29, 2019 at 7:19 am

we need to retain monitoring and control.

DoT all the way!

John L. Galt says:

July 8, 2019 at 10:06 am

Hi, Patrick, and thanks for the article. I especially appreciate the statement “What’s not helpful are ad-hominem attacks that distract from an otherwise worthy conversation.”

If only people would actually learn this. Like Robert above attacking Riyan, who was very politely pointing out a typographical error. Kudos to Riyan, and the antithesis of kudos to Robert – I suppose some people never actually read the articles, only post in the comments.

Going back to the article – I never once would have considered a human rights aspect to the argument at all, thanks for enlightening me to the fact that there actually does seem to be a legitimate reason for supporting DoH over DoT (one that I am having trouble getting behind as DoT just makes more sense, not to mention seems almost crucial from a network security perspective). Definitely some food for thought.

- Wynona says:
  
  July 8, 2019 at 10:56 am
  
  Of course, I’m mostly an end user, but it seems to me that at the very least, both camps should cooperate on meeting in the middle with a secure version to satisfy my right to privacy while giving me the freedom to legitimately surf wherever I wish, barring illegal activities.
  
Max says:

July 11, 2019 at 3:34 am

I assume that when monitoring network traffic is concerned network administrators want to primarily see which destinations outside their domain of control are visited.
As I understand from this article proponents of DoT argue that when somebody uses DoT this would raise suspicion which is a good indicator for further investigation. When that same person uses DoH this suspicion will not be raised (because it’s the same sort of traffic of visiting regular websites). So from a security (monitoring ‘healthy’ network traffic) standpoint it seems logical that DoT is preferred by people who want to be able to monitor network traffic. However when everybode uses DoT (because it has become a standard that every operating system implements) than it seems that the raising of suspicion argument in favour of DoT becomes moot and that it effectively no longer makes a difference if a user uses DoT or DOH. I want to stress out that I’m not a network (security) expert so please correct me if my analysis is incorrect

5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018

How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome

Re-Hashed: How to Fix SSL Connection Errors on Android Phones

Re-Hashed: How to clear HSTS settings in Chrome and Firefox

Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message

Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms

Browser Watch: SSL/Security Changes in Chrome 58

Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3

How to View SSL Certificate Details in Chrome 56

Re-Hashed: How To Disable Firefox Insecure Password Warnings

Re-Hashed: 2018 Cybercrime Statistics: A closer look at the “Web of Profit”

How to Remove a Root Certificate

The Difference Between Root Certificates and Intermediate Certificates

The difference between Encryption, Hashing and Salting

What is the difference between DNS over TLS & DNS over HTTPS?

How strong is 256-bit Encryption?

How to fix the SSL_ERROR_RX_RECORD_TOO_LONG Firefox Error

How to fix the SSL/TLS Handshake Failed error

80 Eye-Opening Cyber Security Statistics for 2019

Why Your SSL Certificate Still Has A SHA-1 Thumbprint

Fire Up Your Cyber Security Career with These 9 Job-Related Tips

Phishing-as-a-Service: Turn-key Phishing Kits

10 Types of Phishing Attacks and Phishing Scams

Encryption helped win America’s Revolutionary War

10 Data Privacy and Encryption Laws Every Business Needs to Know

The Difference Between Root Certificates and Intermediate Certificates

HTTPS Phishing: The rise of URL-based attacks

15 Small Business Cyber Security Statistics That You Need to Know

How to set up a DNS Server

What is Homomorphic Encryption?

AMCA files for bankruptcy just months after Data Breach

Are Free VPNs Safe?

FBI issues warning about HTTPS Phishing

Phishing Email Examples: The best & worst

The Dirty Dozen: The 12 Most Costly Phishing Attack Examples

A broken SSL certificate will hurt your SEO

Report it Right: AMCA got hacked – Not Quest and LabCorp

This is what happens when your SSL certificate expires

How to Send Encrypted Email on 3 Major Email Platforms

ACME Protocol: What it is and how it works

5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018

Re-Hashed: How to Fix SSL Connection Errors on Android Phones

Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message

How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome

Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms

Re-Hashed: How to clear HSTS settings in Chrome and Firefox

Re-Hashed: How To Disable Firefox Insecure Password Warnings

A Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates

PayPal Phishing Certificates Far More Prevalent Than Previously Thought

How to View SSL Certificate Details in Chrome 56

Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3

What is Mining Cryptocurrency?

Anatomy of a Scam: Work from home for Amazon

What is DNS over TLS? Everything you need to know

Google will remove the “Secure” indicator in September

There Are No Winners in the Google/Symantec Feud

The difference between Encryption, Hashing and Salting

This is what happens when your SSL certificate expires

The Difference Between Root Certificates and Intermediate Certificates

Taking a Closer Look at the SSL/TLS Handshake

Subscribe

While they sound like the same thing, there’s one major difference and it’s causing a heated debate.

What is DNS? Why does it need TLS or HTTPS?

Why do we need to encrypt DNS requests?

Ok, so what’s the difference between DNS over TLS & DNS over HTTPS?

The case for DNS over TLS

What’s the better standard, DNS over HTTPS or DNS over TLS?

Leave a Reply Cancel reply

Author

Patrick Nohe

Recent Posts

Fire Up Your Cyber Security Career with These 9 Job-Related Tips

Phishing-as-a-Service: Turn-key Phishing Kits

10 Types of Phishing Attacks and Phishing Scams

Encryption helped win America’s Revolutionary War

10 Data Privacy and Encryption Laws Every Business Needs to Know

Follow Us

Free Ebooks

Email Security Best Practices – 2019 Edition