In the beginning days of IP networks and before the Domain Name System (DNS), each computer had a host file that held computer names and their IP addresses. The entries in these files had to be synchronized (sometimes manually) across all of the computers that needed to talk to each other, which was very much the other DNS: Does Not Scale.
In 1987, RFC 1034 and RFC 1035 outlined a DNS network protocol and zone resource records and heralded in the modern era of DNS and the explosion of the Internet during the DotCom Era as people raced to register domains, set up zones on authoritative servers, and pointed DNS resource records at their newly minted websites.
For speed and because of the small size of DNS queries and answers, the DNS network protocol uses UDP on port 53. However, this decision introduced numerous security issues:
- A failed DNS query resulted in a resend of the query.
- The protocol uses no encryption and is subject to eavesdropping and traffic injection anywhere along the network path.
- UDP, because it does not have a two-way handshake like TCP, is susceptible to spoofing attacks which can be manifested as cache poisoning or DDoS amplification attacks.
- The protocol did not have any method of identifying which computer made the query to an upstream recursive or authoritative server.
- The protocol did not have any assurances that the answer had not been altered by any forwarder or recursive DNS server upstream of the querying computer.
Then along came DNSSEC.
DNSSEC expanded the DNS zone and UDP network protocol by adding public-key cryptography to sign a DNS zone and validate answers provided through the process of recursion. Although a small number of zones are signed and actively verified, DNSSEC allows organizations to detect cache poisoning, domain hijacking, network hijacking, and other attacks.
Uninterrupted access to your digital assets. Discover how our DNSSEC solutions can protect and optimize your online resources. Get Started |
Introducing DNS over transport-layer security.
In order to mitigate some of the DNS UDP protocol problems, in 2016, a new protocol was developed in RFC 7858 named DNS over Transport-Layer Security (TLS), commonly known as DoT. This protocol uses TCP over port 853 and TLS, which ensures resiliency in communication through the TCP handshake and the flow controls built into TCP.
DoT also uses Public-Key Infrastructure via TLS certificates on the authoritative server so that recursive servers can validate that they are talking to the correct authoritative server for the zone that it is querying.
DoT and UDP-based DNS are deployed in parallel frequently on both authoritative and recursive DNS servers. For instance, normal queries might use UDP and zone transfers or other control-plane traffic uses DoT. Or individual computers might use UDP to a local DNS caching recursive server which in turn uses DoT to perform recursion.
In order to compensate for the time required for a TCP handshake, TLS negotiation, and DoT query, it is recommended that the recursive server employ an aggressive caching strategy and that the TCP/TLS session be reused for subsequent queries if possible.
Still with privacy issues.
While DoT and DNSSEC solved some of the problems with the UDP DNS protocol, it was also vulnerable to traffic analysis and a force protocol downgrade to UDP DNS.
If you know that a DNS server is authoritative for a domain and that a recursive server made a TCP 853 connection to that server, you could assume that a computer serviced by the recursive server was making a query against that domain.
Network administrators and operators (for example, in a country with an oppressive government) could block DoT and force computers on their network to use the UDP DNS protocol where the traffic could be monitored.
Learn more about DNS, DNSSEC, and more with our blog: |
And now we have DNS over HTTPS.
In order to address these 2 weaknesses of DoT, DNS over HTTPS, or DoH, was created.
DNS over HTTPS, or DoH, is exactly what it sounds like: the DNS query is embedded in HTTP and sent via TLS over TCP port 443. The recursive server can be specified inside the web browser or inside a network privacy application.
This helps DoH to blend in with other web browser communications. This approach is also compatible with remote recursive services that can be integrated with a VPN service or other privacy-centric software suite.
Strengths of DoH.
DoH uses both TCP and TLS certificates, which provide feature-parity with DoT.
DoH is more resistant to traffic analysis, especially in countries that aggressively monitor their citizens’ Internet usage.
DoH uses HTTP, which can add other headers such as machine identifier, customer identifier, and the name of the computer process that initiated the query. For this reason, we use DoH on UltraDDR, our protective DNS service.
Problems with DoH.
It is practically infeasible to block all DoH outbound traffic. This invalidates all of the protective DNS controls that an enterprise uses.
Users that set up DoH for their web browsers are able to bypass any kind of filtering for Acceptable Use Policy that the organization uses on their recursive DNS servers.
Malware is able to use DoH to bypass enterprise controls.
Computers using DoH have to trust an external organization that is outside of their company’s security policy.
The difference between DNS, DNSSEC, DoT, and DoH—at a glance.
| Feature | DNS (Domain Name System) | DNSSEC (DNS Security Extensions) | DoT (DNS over TLS) | DoH (DNS over HTTPS) |
| Protocol Basis | Uses UDP on port 53 | Expands DNS with public-key cryptography | Uses TCP over port 853 with TLS | Embeds DNS in HTTP, sent via TLS over TCP port 443 |
| Security | No encryption, vulnerable to attacks | Adds verification and data integrity to DNS | Encrypts DNS queries, preventing eavesdropping | Encrypts DNS queries, resistant to traffic analysis and censorship |
| Performance | Fast due to small query size and no encryption | May slow down responses due to cryptographic checks | Slower due to TCP handshake and TLS negotiation | Comparable to DoT, with potential for HTTP/2 performance optimizations |
| Privacy | Susceptible to eavesdropping and traffic injection | Protects against cache poisoning and other attacks | Vulnerable to traffic analysis and protocol downgrade | More resistant to traffic analysis and monitoring |
| Deployment | Widely used due to being established and fast | Not universally adopted, used for enhanced security | Often used in parallel with UDP DNS | Can be integrated with web browsers and privacy applications |
Which one to use?
Most networks still use the UDP DNS network protocol. This is more because of installed base and inertia than any merits of the protocol. It is a faster protocol and requires fewer server resources to respond to the same volume of queries.
For a corporate environment where verification of query answers is important, DoT plus DNSSEC validation provides a good level of protection, especially if the answers can be cached on their local resolvers.
For users concerned about privacy and willing to sacrifice some performance in their queries in the interest of privacy, DoH would be the best choice.
Ready to elevate your online security and performance?
You’ve just navigated the complex world of DNS, DNSSEC, DoT, and DoH, understanding their unique roles in securing and optimizing your online presence. Now, it’s time to take the next step.
With Vercara’s UltraDNS and UltraDNS², you can:
- Guarantee uninterrupted access: Ensure your website and digital assets are always available and performing at their best.
- Enhance security: Protect your online presence from threats with our advanced DNSSEC solutions.
- Optimize performance: Benefit from near-zero latency and manage vast volumes of DNS queries effortlessly.
- Rely on expertise: Trust in our dedicated support team, available 24/7 to assist you.
Whether you’re looking to fortify your DNS infrastructure, seeking unmatched reliability, or aiming for the pinnacle of DNS security, our solutions are designed to meet your needs.
Don’t let your online presence be compromised. Secure it with the strength of Vercara’s DNS solutions.
