DNS over TLS: an improved security concept

The Domain Name System (DNS) ensures that we can surf the net without any issues. If this useful system didn’t exist, we would need to enter an IP address in full into a browser each time in order to be able to open a website. Thanks to DNS, known and noticeable URLs are sufficient. Yet, up until now, the comfort to quickly launch a web page came at the cost of security. Thanks to DNS over TLS (DoT), the hazards of surfing have been significantly minimized. How does the technology work?

The Domain Name System is a practical concept, yet it was invented at a time when the Internet was still a lot smaller and there were fewer security concerns than there are today. The way DNS works is simple. A client (i.e. a home computer, for example) requests the correct IP address for a domain name via a name server. If the domain is a website that has not previously been visited or a user recently cleared their cache, a connection is established via the Internet. Although practical, it enables hackers to intercept the communication between client and DNS server because it mostly occurs without any encryption.

Hence, Internet criminals can easily read or manipulate communications between the participants involved. As a result, requests are intercepted and incorrect responses are sent back. These attacks are known as DNS hijacking. During a DNS hijacking attack, users end up being redirected to websites they did not open. In the best-case scenario, they’re flooded with adverts. In the worst-case scenario, the attack infects a device with malware or users become the victim of a phishing attack enabling attackers to collect sensitive user data.

But hackers aren’t alone in making use of DNS weak spots. Government and Internet providers sometimes abuse DNS flaws to censor the Internet or specific web pages or redirect users to product pages. By using an encrypted connection via DoT, users can protect themselves against criminal activity and legal bypasses.

The Transport Layer Security protocol (TLS) operates at the highest level of the TCP/IP protocol stack, and is thus a fixed component of the Internet and many other networks. The protocol may be best-known with regard to HTTPS. TLS secures transfers from the client to the web server and is expected to make communication within DNS more secure in the future.

With DNS over TLS, the data exchange occurs via an encrypted channel using a simple TCP connection and a separate Port 853, which is specifically intended for the exchange of domain information. Only the two participants in this communication can unencrypt and process the data. Therefore, a man-in-the-middle attack is not possible because the attacker cannot process the data.

The technology must, however, be supported on the server and client-side. Several providers on the Internet offer appropriate DNS servers. Where older laptops or desktop PCs are in use, the software may need to be upgraded before DNS over TLS can be used. For Windows and Linux, relevant solutions exist. Smartphones running the latest Android version can already use DNS over TLS.

Because traditional DNS doesn’t provide security measures, one cannot go wrong with DoT. Because it uses encryption, Internet criminals no longer have the option to exploit the server for an attack. Similarly, governments are unable to censor content – at least in theory. Experts have criticized DNS over TLS because it uses a specific port. Though this ensures that user access of websites cannot be tracked, the DNS request itself is still visible. Privacy groups claim that this poses a problem whilst network administrators consider it to be an important measure to gain a better overview of activities within a network.

Another shortcoming of DNS over TLS is that it is still not widely used. With the exception of Android 9, all operating systems must be upgraded first to be compatible. Even on the server-side, the technology is (still) not that common. Though a number of providers exist, they’re not nearly as numerous as one would expect from traditional DNS. As a result, some experts are concerned that a monopoly could emerge. Many name servers have been made available by Internet providers, but now other companies too could consolidate DNS requests themselves.

An alternative to DoT which provides enhanced security of name resolution is DNS over HTTPS (DoH). Both solutions provide encrypted communication, but they use different ports. And as trivial as that might sound, it has led to a deep rift between expert groups. While DNS over TLS uses its own port, DoH uses Port 443, which is used for all other HTTPS connections and means that a DNS request cannot be distinguished from other traffic when surfing the web.

With regard to data protection, this has some serious benefits. If DNS requests aren’t recognized, others cannot attempt to prohibit them. Some network administrators, however, are worried that they could lose control of network traffic and wouldn’t be able to properly manage communication.

The solutions are supported by two camps. The IETF – an organization concerned with the continued development of the Internet – supports DoT. The IETF develops standards that in many cases can be taken up by other actors online. DNS over HTTPS, on the other hand, is supported by various other companies and organizations including the Mozilla Foundation and Google.