What is DNS over TLS? Everything you need to know
1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 3.00 out of 5)
Loading...

What is DNS over TLS? Everything you need to know

Prevent ISPs from seeing what website you’re viewing with DNS over TLS

DNS over TLS keeps Internet Service Providers (ISPs) from spying on users. Doesn’t SSL already do that? Sort of. An SSL certificate facilitates an encrypted connection between a client’s browser and a website’s server. That means that during the connection all communication and activity are obscured.

But, the ISP can still see what website you’re on.

It doesn’t have to be that way though, there is a way to keep your ISP from even seeing what website you’re accessing. It’s called DNS over TLS.

What is DNS over TLS?

DNS over TLS is a security protocol that forces all connections with DNS servers to be made securely using TLS. This effectively keeps ISPs from seeing what website you’re accessing.

There’s a lot to unravel here, so let’s start from the beginning.

TLS or Transport Layer Security is the successor to SSL. Despite still being the colloquial term for TLS, SSL was actually not a secure protocol and was quickly replaced by TLS. What you call an SSL certificate is actually a TLS certificate. So just remember, when we say TLS we’re talking about the concept of SSL.

Now, let’s talk about DNS.

What is a DNS server?

DNS stands for Domain Name Server, which actually means calling it a DNS Server is redundant—but indulge me. DNS Servers are what translates the web address you enter into the IP address your computer recognizes when it serves the website.

When you type in a web address, you’re typing in a URL or a Uniform Resource Locator. Behind the scenes, your browser is making a connection with a DNS server that translates that URL into an IP address, which it uses to server the files on the server. Again, this all happens quickly behind the scenes. The average internet user has no idea it’s even taking place.

Unfortunately, most DNS requests are made in plaintext, which means your ISP can see the conversions. That means they can see what website you’re accessing even if that website has SSL to obfuscate what pages you’re viewing.

Currently the requests are made via the UDP or TCP protocols.

Enter DNS over TLS

DNS over TLS is actually specified in RFC 7858. It requires all DNS data be sent on a DNS-over-TLS port. When using TCP Fast Open, the TLS handshake must be initiated immediately.

The TLS handshake is process where a TLS connection is negotiated.

Adoption depends entirely on the DNS industry. If a server is equipped with SSL/TLS, DNS over TLS is within its capabilities—it’s just a matter of supporting it.

Recently, Android announced it would be adding DNS over TLS for all of its apps. This makes sense, considering Google’s DNS servers already support DNS over TLS. If you want to enable DNS over TLS, it’s just a matter of finding a DNS server that supports it.

We highly recommend DNS over TLS, just like we recommend enabling HSTS on your website. It’s important to close as many attack vectors as possible. SSL/TLS is a great tool, but it’s not a cure-all. It’s important to have to correct implementations to maximize

What we Hashed Out (for Skimmers)

Here’s what we covered in today’s discussion:

  • DNS over TLS is a protocol that forces all DNS requests to be made securely
  • This practice prevents ISPs from seeing what websites you’re trying to access
  • To use DNS over TLS your DNS service must support it.
4 comments
    • No DNSSEC verifies that the DNS Server you requested is actually the one responding to your request, it signs, rather than encrypts requests.

  • Maybe I’m missing something. The article says, “Prevent ISPs from seeing what website you’re viewing with DNS over TLS.” That is not true at all. If your ISP is sniffing your packets, they can see what sites your hitting, even if your DNS is TLS-encrypted. In the HTTPS header, thanks to the SNI (Server Name Indication) extension to TLS, your web browser states in plaintext what site you want to open during the TLS negotiation. It doesn’t show the URL (but neither does a DNS request).

    The only way to really hide stuff from your provider is via VPN or some other encrypted tunneling method (like SSH). If you’re doing that, your DNS requests are also encrypted anyway, even without DNS over TLS.

    • You’re missing something. The ISP will only see the request to the DNS server. The SNI will only show the IP of the DNS server. The site you are requesting is encrypted, no one in between the client and the DNS server will know what site was requested.

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha *

Author

Patrick Nohe

Hashed Out’s Editor-in-Chief also serves as Content Manager for The SSL Store™.