By Manny Fernandez

November 19, 2019

DoH (DNS over HTTPS) vs DoT (DNS over TLS) in the Secure DNS Wars

It appears we are seeing a “Betamax vs VHS” battle in the aging DNS war.  Who will win? Will it be a “DVD” or “Blu-Ray” in which case we are wasting our times?  The reality is that SOMETHING has to be done.

Weather you advocate for encrypting traffic due to Human Rights issues such as searching for things that a tyrannical government deems offensive or detrimental to them or a Corporate Governance scenario, we all agree we need to secure DNS communications.  I make the analogy of Betamax vs VHS because it is two technologies that essentially offer similar results but do it a bit different.  As in the VHS and Beta war, eventually we saw Laser Disk, then DVD, then Blu-Ray and now streaming.  Although this is the beginning of the war, in the end we may see something completely different.

IMHO, I prefer the DNS over TLS since my business is to protect networks and applications.  Coming from a Blue Team side of the house as of late, I feel that the intelligence offered by collecting and analyzing DNS traffic is invaluable and indispensable to a good Security Program.  You will see in this article that  the difference and maybe it will guide you at a high level, which one is for you.

DNS over TLS

DNS over TLS is defined in RFC(s) 7858 and 8310

The user or device connects to the DNS Server (DNS Resolver) using a dedicated TCP port.  Yes, that is right.  In case the name did not give it away, DoT using TLS which is TCP.  DoT uses its own dedicated port of 853.  In a later article, I will show how to configure DNS over TLS on a Fortigate Firewall.

DoT has two modes; strict and opportunistic.  In strict mode, the ONLY use TCP 853 to query.  It will not fall back to UDP 53. The DoT client has a list of trusted DoT server certificates, and only communicates with trusted DNS servers.  In opportunistic, the queries will fallback to UDP 53 if the resolver is not offering DoT.   Obviously, as we stated, the DNS Resolver has to support DoT in order to be used in strict mode.

DNS over HTTPS

DoH is a bit different and way more controversial.  Many haver put all their eggs in the DoH basket.  Microsoft just announced that they would be including support for DoH.

DoH is defined in RFC 8484.  With DoH, the DNS queries are combined with other TCP 443 traffic.  As with DoT, the resolving server needs to be available for your to use it and you must have support on the OS.  As stated before, Microsoft has announced that it will include DoH in Windows 10.

The issue I personally see is the inability to collect DNS queries in a centralized way (e.g. SIEM).  Although this may evolve moving forward, at this time, it is not there.  Some say there is limitations  due to exposed SNI (Server Name Indication), IPs, etc.

Noteworthy, DNSSEC is the long lost cousin of both DoH and DoT.  DNNSEC did not encrypt the actual queries but used certificates to authenticate and validate the DNS server you were using and the record being returned.

I think this is a great step forward.  I truly believe that this is opening Domain Name to more robust security options which are not developed yet (e.g. Laserdisc, DVD, Blu-Ray).

Hope this helps

 

Recent posts