DNS over TLS | An improved security concept

The Domain Name System (DNS) ensures that we can surf the net without any issues. If this useful system didn’t exist, we would need to enter an IP address in full into a browser each time in order to be able to open a website. Thanks to DNS, known and no­tice­able URLs are suf­fi­cient. Yet, up until now, the comfort to quickly launch a web page came at the cost of security. Thanks to DNS over TLS (DoT), the hazards of surfing have been sig­nif­i­cant­ly minimized. How does the tech­nol­o­gy work?

The Domain Name System is a practical concept, yet it was invented at a time when the Internet was still a lot smaller and there were fewer security concerns than there are today. The way DNS works is simple. A client (i.e. a home computer, for example) requests the correct IP address for a domain name via a name server. If the domain is a website that has not pre­vi­ous­ly been visited or a user recently cleared their cache, a con­nec­tion is es­tab­lished via the Internet. Although practical, it enables hackers to intercept the com­mu­ni­ca­tion between client and DNS server because it mostly occurs without any en­cryp­tion.

Hence, Internet criminals can easily read or ma­nip­u­late com­mu­ni­ca­tions between the par­tic­i­pants involved. As a result, requests are in­ter­cept­ed and incorrect responses are sent back. These attacks are known as DNS hijacking. During a DNS hijacking attack, users end up being redi­rect­ed to websites they did not open. In the best-case scenario, they’re flooded with adverts. In the worst-case scenario, the attack infects a device with malware or users become the victim of a phishing attack enabling attackers to collect sensitive user data.

But hackers aren’t alone in making use of DNS weak spots. Gov­ern­ment and Internet providers sometimes abuse DNS flaws to censor the Internet or specific web pages or redirect users to product pages. By using an encrypted con­nec­tion via DoT, users can protect them­selves against criminal activity and legal bypasses.

The Transport Layer Security protocol (TLS) operates at the highest level of the TCP/IP protocol stack, and is thus a fixed component of the Internet and many other networks. The protocol may be best-known with regard to HTTPS. TLS secures transfers from the client to the web server and is expected to make com­mu­ni­ca­tion within DNS more secure in the future.

With DNS over TLS, the data exchange occurs via an encrypted channel using a simple TCP con­nec­tion and a separate Port 853, which is specif­i­cal­ly intended for the exchange of domain in­for­ma­tion. Only the two par­tic­i­pants in this com­mu­ni­ca­tion can unencrypt and process the data. Therefore, a man-in-the-middle attack is not possible because the attacker cannot process the data.

The tech­nol­o­gy must, however, be supported on the server and client-side. Several providers on the Internet offer ap­pro­pri­ate DNS servers. Where older laptops or desktop PCs are in use, the software may need to be upgraded before DNS over TLS can be used. For Windows and Linux, relevant solutions exist. Smart­phones running the latest Android version can already use DNS over TLS.

Because tra­di­tion­al DNS doesn’t provide security measures, one cannot go wrong with DoT. Because it uses en­cryp­tion, Internet criminals no longer have the option to exploit the server for an attack. Similarly, gov­ern­ments are unable to censor content – at least in theory. Experts have crit­i­cized DNS over TLS because it uses a specific port. Though this ensures that user access of websites cannot be tracked, the DNS request itself is still visible. Privacy groups claim that this poses a problem whilst network ad­min­is­tra­tors consider it to be an important measure to gain a better overview of ac­tiv­i­ties within a network.

Another short­com­ing of DNS over TLS is that it is still not widely used. With the exception of Android 9, all operating systems must be upgraded first to be com­pat­i­ble. Even on the server-side, the tech­nol­o­gy is (still) not that common. Though a number of providers exist, they’re not nearly as numerous as one would expect from tra­di­tion­al DNS. As a result, some experts are concerned that a monopoly could emerge. Many name servers have been made available by Internet providers, but now other companies too could con­sol­i­date DNS requests them­selves.

An al­ter­na­tive to DoT which provides enhanced security of name res­o­lu­tion is DNS over HTTPS (DoH). Both solutions provide encrypted com­mu­ni­ca­tion, but they use different ports. And as trivial as that might sound, it has led to a deep rift between expert groups. While DNS over TLS uses its own port, DoH uses Port 443, which is used for all other HTTPS con­nec­tions and means that a DNS request cannot be dis­tin­guished from other traffic when surfing the web.

With regard to data pro­tec­tion, this has some serious benefits. If DNS requests aren’t rec­og­nized, others cannot attempt to prohibit them. Some network ad­min­is­tra­tors, however, are worried that they could lose control of network traffic and wouldn’t be able to properly manage com­mu­ni­ca­tion.

The solutions are supported by two camps. The IETF – an or­ga­ni­za­tion concerned with the continued de­vel­op­ment of the Internet – supports DoT. The IETF develops standards that in many cases can be taken up by other actors online. DNS over HTTPS, on the other hand, is supported by various other companies and or­ga­ni­za­tions including the Mozilla Foun­da­tion and Google.