Hit enter to search

DoT Vs DoH: What's the difference and where are we now?

15/12/2020
Author Avatar
Maxime Lamarche
Technical Engineer, EASI

The DNS (Domain Name System) protocol was developed a long time ago and security was not part of the process. Nowadays, security is a major concern and developers are redesigning old protocols to add more security. For DNS, two different approaches are proposed, DNS over TLS (DoT) and DNS over HTTPS (DoH). Let's dig deeper into these two proposals...

DNS protocol was design in 1983 and security was not present at that time. Thus, it was developed to use plaintext requests using TCP/UDP protocols. However, in today's reality, security needs to be taken into account and implemented everywhere when feasible. DNS requests, which are used by everyone surfing on the Internet, can be modified by malicious users thanks to DNS hijacking or Man In The Middle attacks and lead to sensitive data collection, website redirection...

Following the elements mentioned above, researchers found a solution (DNSSEC) to mitigate these issues. DNSSEC is a security protocol used to protect against attacks by digitally signing data to help ensure its validity. However, this solution was not fully satisfying and other solutions have been developed. DNS over TLS and DNS over HTTPS.

With what differences?

Both standards mentioned above, encrypt DNS requests but:

  • DNS over TLS uses TCP protocol to make the connection, and it uses TCP port 853, a dedicated port. DNS packets are not modified, they are encrypted thanks to TLS protocol before transmitted.
  • DNS over HTTPS uses HTTPS protocol to make the connection, and it uses the TCP port 443, a default port. DNS data are encapsulated inside HTTP packets, which are encapsulated thanks to TLS protocol before transmitted.

Which one to implement?

It is currently difficult to find a correct answer to this question as each company or even each IT security professional will have its own opinion on this. Furthermore, these two protocols are still in test phase. However, here are already some facts we can pinpoint:

  • DoT uses dedicated port, which can be blocked on some networks. On the one hand, this is good because we can control secure DNS in enterprise networks such as we do now with unsecure DNS traffic. On the other hand, secure DNS traffic could be blocked on some networks, preventing users to access web resources.
  • DoH is using HTTPS for both DNS and Web traffic. In that case, block DNS traffic without impacting users' web experience would be far more challenging.

Currently, we don't know which one will be implemented all over the world but keep in mind that changes will happen on DNS level in the next months.

SentinelOne Singularity

Current job openings

Get our top stories in your inbox every month

Follow us

  

Share this article