DNS over TLS is a protocol where DNS queries will be encrypted to the same level as HTTPS. This means the provider can’t actually log or see the websites you visit. Is it really better? We will find it out – hang on!
Here is an example how it looks like.
//Example DNS data returned via TLS
openssl s_client -tls1_2 -ign_eof \ -connect dns.google.com:443 -verify 9 <<eof GET /resolve?name=example.com.\&type=dnskey HTTP/1.1^M Host: dns.google.com^M Connection: keep-alive^M ^M GET /resolve?name=example.net.\&type=dnskey HTTP/1.1^M Host: dns.google.com^M Connection: close^M ^M eof
//Check the IP dig dns.google.com
Theoretically any attacker can still see the domain name through the host header. It does nothing to stop them from intercepting/modifying the request/response. This alone is already a bummer!
In case the protocol is SSL/TLS the domain name is in the SNI (SNI leak). That said, SNi itself isn’t encrypted. You’ll inevitably have to disable it every time you use public wifi to e.g. get the captive portal to show up. Using TLS adds higher latency, because of the tcp handshake required (unless they’re using DTLS), and it exposes all the domain names you visit to google, so it’s actually worse than a regular DNS. A workaround is to use TCp fast open which gets rid of the mentioned problem, it removes the TCP handshake latency.
What about DNSSEC?
DNSSEC gives you something the ohter things don’t: authenticated data, including authenticated non-existence. That’s in my opinion a big deal. Point being DNSSEC can be used to secure more hops than DNS-over-TLS, but DNS-over-TLS can secure the last hop without any opt-in by the domain owner.
DNSSEC is secure enough – cause the root is protected. DNSSEC is not trying to solve the problem of privacy, only authentication.
DNSCrypt is some homebrew DNS over TLS protocol and very similar it’s client has to explicitly trust the public signing key of the chosen provider (pub. key).
TLS over DNS will not lead to full privacy with the flip of a simple toggle. If a different DNS service provider you decide to connect to does opt to enable DNS over TLS, they’ll get your DNS traffic instead of your ISP. DNS requests will be encrypted, but the DNS over TLS server still gets to see your entire DNS traffic, though that alone might be a step above using your ISP’s servers without TLS over DNS. At least this way, your ISP won’t be able to attach your queries to the IP you’ve been assigned, and thus your name.
DNS-over-TLS and DNSCrypt are more about authentication than privacy. They are useful against the guy sitting behind you at Starbucks doing DNS injection.
- It won’t replace a VPN – unless you are using a VPN or Tor, the IP of the site you’re connecting to is present in every TCP / UDP / ICMP packet you send out!
- If DNS is over TLS, it can’t be transparently proxied. That said, we talking then about censorship circumvention and their possibilities.