What is DNS over TLS? Everything you need to know
Prevent ISPs from seeing what website you’re viewing with DNS over TLS
DNS over TLS keeps Internet Service Providers (ISPs) from spying on users. Doesn’t SSL already do that? Sort of. An SSL certificate facilitates an encrypted connection between a client’s browser and a website’s server. That means that during the connection all communication and activity are obscured.
But, the ISP can still see what website you’re on.
It doesn’t have to be that way though, there is a way to keep your ISP from even seeing what website you’re accessing. It’s called DNS over TLS.
What is DNS over TLS?
DNS over TLS is a security protocol that forces all connections with DNS servers to be made securely using TLS. This effectively keeps ISPs from seeing what website you’re accessing.
There’s a lot to unravel here, so let’s start from the beginning.
TLS or Transport Layer Security is the successor to SSL. Despite still being the colloquial term for TLS, SSL was actually not a secure protocol and was quickly replaced by TLS. What you call an SSL certificate is actually a TLS certificate. So just remember, when we say TLS we’re talking about the concept of SSL.
Now, let’s talk about DNS.
What is a DNS server?
DNS stands for Domain Name System, which actually means calling it a DNS Server is redundant—but indulge me. DNS Servers are what translates the web address you enter into the IP address your computer recognizes when it serves the website.
When you type in a web address, you’re typing in a URL or a Uniform Resource Locator. Behind the scenes, your browser is making a connection with a DNS server that translates that URL into an IP address, which it uses to server the files on the server. Again, this all happens quickly behind the scenes. The average internet user has no idea it’s even taking place.
Unfortunately, most DNS requests are made in plaintext, which means your ISP can see the conversions. That means they can see what website you’re accessing even if that website has SSL to obfuscate what pages you’re viewing.
Currently the requests are made via the UDP or TCP protocols.
Enter DNS over TLS
DNS over TLS is actually specified in RFC 7858. It requires all DNS data be sent on a DNS-over-TLS port. When using TCP Fast Open, the TLS handshake must be initiated immediately.
The TLS handshake is process where a TLS connection is negotiated.
Adoption depends entirely on the DNS industry. If a server is equipped with SSL/TLS, DNS over TLS is within its capabilities—it’s just a matter of supporting it.
Recently, Android announced it would be adding DNS over TLS for all of its apps. This makes sense, considering Google’s DNS servers already support DNS over TLS. If you want to enable DNS over TLS, it’s just a matter of finding a DNS server that supports it.
We highly recommend DNS over TLS, just like we recommend enabling HSTS on your website. It’s important to close as many attack vectors as possible. SSL/TLS is a great tool, but it’s not a cure-all. It’s important to have to correct implementations to maximize
What we Hashed Out (for Skimmers)
Here’s what we covered in today’s discussion:
- DNS over TLS is a protocol that forces all DNS requests to be made securely
- This practice prevents ISPs from seeing what websites you’re trying to access
- To use DNS over TLS your DNS service must support it.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown