Prevent ISPs from seeing what website you’re viewing with DNS over TLS
DNS over TLS keeps Internet Service Providers (ISPs) from spying on users. Doesn’t SSL already do that? Sort of. An SSL certificate facilitates an encrypted connection between a client’s browser and a website’s server. That means that during the connection all communication and activity are obscured.
But, the ISP can still see what website you’re on.
It doesn’t have to be that way though, there is a way to keep your ISP from even seeing what website you’re accessing. It’s called DNS over TLS.
What is DNS over TLS?
DNS over TLS is a security protocol that forces all connections with DNS servers to be made securely using TLS. This effectively keeps ISPs from seeing what website you’re accessing.
There’s a lot to unravel here, so let’s start from the beginning.
TLS or Transport Layer Security is the successor to SSL. Despite still being the colloquial term for TLS, SSL was actually not a secure protocol and was quickly replaced by TLS. What you call an SSL certificate is actually a TLS certificate. So just remember, when we say TLS we’re talking about the concept of SSL.
Now, let’s talk about DNS.
What is a DNS server?
DNS stands for Domain Name System, which actually means calling it a DNS Server is redundant—but indulge me. DNS Servers are what translates the web address you enter into the IP address your computer recognizes when it serves the website.
When you type in a web address, you’re typing in a URL or a Uniform Resource Locator. Behind the scenes, your browser is making a connection with a DNS server that translates that URL into an IP address, which it uses to server the files on the server. Again, this all happens quickly behind the scenes. The average internet user has no idea it’s even taking place.
Unfortunately, most DNS requests are made in plaintext, which means your ISP can see the conversions. That means they can see what website you’re accessing even if that website has SSL to obfuscate what pages you’re viewing.
Currently the requests are made via the UDP or TCP protocols.
Enter DNS over TLS
DNS over TLS is actually specified in RFC 7858. It requires all DNS data be sent on a DNS-over-TLS port. When using TCP Fast Open, the TLS handshake must be initiated immediately.
The TLS handshake is process where a TLS connection is negotiated.
Adoption depends entirely on the DNS industry. If a server is equipped with SSL/TLS, DNS over TLS is within its capabilities—it’s just a matter of supporting it.
Recently, Android announced it would be adding DNS over TLS for all of its apps. This makes sense, considering Google’s DNS servers already support DNS over TLS. If you want to enable DNS over TLS, it’s just a matter of finding a DNS server that supports it.
We highly recommend DNS over TLS, just like we recommend enabling HSTS on your website. It’s important to close as many attack vectors as possible. SSL/TLS is a great tool, but it’s not a cure-all. It’s important to have to correct implementations to maximize
What we Hashed Out (for Skimmers)
Here’s what we covered in today’s discussion:
- DNS over TLS is a protocol that forces all DNS requests to be made securely
- This practice prevents ISPs from seeing what websites you’re trying to access
- To use DNS over TLS your DNS service must support it.