DoH is DNS-over-HTTPS. Let’s break that down.
DNS is Domain Network System, and it’s what allows you to type in the server name (e.g. aliceevebob.com or http://www.redhat.com), which typically makes up the key part of a URL, and then get back the set of numbers which your computer needs actually to contact the machine you want it to talk to. This is because computers don’t actually use the names, they use the numbers, and the mapping between the two can change, for all sorts of reasons (a server might move to another machine, it might be behind a firewall, it might be behind a load-balancer – those sorts of reasons). These numbers are called “IP addresses”, and are typically[1] what are called “dotted quads”. An example would be 127.0.0.1 – in fact, this is a special example, because it maps back to your own machine, so if you ask for “localhost”, then the answer that DNS gives you is “127.0.0.1”. All IP[1] addresses must be in of the type a.b.c.d, where the a, b, c and d are numbers between 0 and 254 (there are some special rules beyond that, but we won’t go into them here).
Now, your computer doesn’t maintain a list of the millions upon millions of server names and their mappings to specific IP address – that would take too much memory, and ages to download. Instead, if it needs to find a server (to get email, talk to Facebook, download a webpage, etc.), it will go to a “DNS server”. Most Internet providers will provide their own DNS servers, and there are a number of special DNS servers to which all others connect from time to time to update their records. It’s a well-established and generally well-run system across the entire Internet. Your computer will keep a cache of some of the most recently used mappings, but it’s never going to know all of them across the Internet.
What worries some people about the DNS look-up process, however, is that when you do this look-up, anyone who has access to your network traffic can see where you want to go. “But isn’t secure browsing supposed to stop that?” you might think. Well, yes and no. What secure browsing (websites that start “https://”) means is that nobody with access to your network traffic can see what you download from and transmit to the website itself. But the initial DNS look-up to find out what server your browser should contact is not encrypted. This might generally be fine if you’re just checking the BBC news website from the UK, but there are certainly occasions when you don’t want this to be the case. It turns out although DoH doesn’t completely fix the problem of being able to see where you’re visiting, many organisations (think companies, ISPs, those under the control of countries…) try to block where you can even get to by messing with the responses you get to look-ups. If your computer can’t even work out where the BBC news server is, then how can it visit it?
DoH – DNS-over-HTTPS – aims to fix this problem. Rather than your browser asking your computer to do a DNS look-up and give it back the IP address, DoH has the browser itself do the look-up, and do it over a secure connection. That’s what the HTTPS stands for – “HyperText Transfer Protocol Secure” – it’s what your browser does for all of that other secure traffic (look for the green padlock”). All someone monitoring your network traffic would see is a connection to a DNS server, but not what you’re asking the DNS server itself. This is a nice fix, and the system (DoH) is already implemented by the well-known Tor browser.
The reason that I’m writing about it now is that Firefox – a very popular open source browser, used by millions of people across the world – is beginning to roll out DoH by default in a trial of a small percentage of users. If the trial goes well, it will be available to people worldwide. This is likely to cause problems in some oppressive regimes, where using this functionality will probably be considered grounds for suspicion on its own, but I generally welcome any move which improves the security of everyday users, and this is definitely an example of one of those.
1 – for IPv4. I’m not going to start on IPv6: maybe another time.
Alice, Eve and Bob - a security blog 