If you’re a privacy-centric individual, this post is for you. Mozilla, the creator of Firefox, has championed the new Internet Engineering Task Force (IETF) standard known as DNS over HTTPS (DoH). This isn’t a new concept, as Mozilla wrote about this back in 2018, but I only now came across their post describing it. Aside from the post explaining how DoH works, they also break down how HTTP and DNS requests work in general – and the author, Lin Clark, did a fantastic job at explaining it.
My intention for this post is to simplify (and shorten) their explanation while revealing the perks of this new initiative. In addition, this post will also somewhat reveal a bit more just how online tracking can be done.
HTTP(S)
Hyper Text Transfer Protocol (HTTP) is the language of the web, so to speak. It’s the protocol that defines how messages are formatted and transmitted on the World Wide Web, and what actions web servers and browsers take. Its pitfall is that data transferred via HTTP is done so in clear text (or plain text), a human-readable format free from encryption.
This means that any HTTP traffic sent over a network has the ability to be read along the way. The many network points between the source and destination network can read the content and gather details about you. This, in fact, is how online tracking is done to personalize ads.
Hyper Text Transfer Protocol Secure (HTTPS) is the secure and encrypted method of transmitting HTTP data. That is, the HTTP data is no longer in clear / plain text but in an encrypted format. A over-simplified description of how encryption works: encryption takes place when a web client (you or a web browser) and a web server (say Secplicity.org or WatchGuard.com) agree on a level of encryption and exchange public keys that are tied to private keys. Now, any network hop along the route can still forward the data but will no longer be able to access the content.
Resolving DNS Requests
As I’ve said in many posts, computers love numbers. Humans, maybe not so much (unless you’re a math guru or are just simply in love with numbers, in which you may very well be a computer). That said, remembering text is a lot easier and this is how we, humans, remember web addresses.
When accessing a web server, you can in fact access it via its IP address (54.212.248.139) or by using a known hostname (watchguard.com). The former is not as common across the Internet, as there are limited IP addresses and other reasons beyond the scope of this article, but very applicable to local networks. In fact, being the geek that I am, I have my home network set up in such a way where I use IP addresses more so than hostnames, but I don’t want to stray too far. The latter is by far the more common way to search for a website and as such, the process of a DNS lookup begins – the act of resolving a hostname to its IP address.
Now, when a user enters a hostname, there is a lot that happens behind the scenes. In short though, your browser makes a request to a root DNS server which points you to a top-level domain (TLD) server. This TLD server houses the information for all second-level address – a few TLD examples are com, net, and org. Second-level domains include WatchGuard or Secplicity. There are also subdomains, which are a subset to the second-level domains.
Getting back on track, DNS requests currently reveal a lot of sensitive information to whomever during this process and in clear text, taking us back to the online tracking. It’s important that the DNS resolver – the server that simplifies the process mentioned above to convert a hostname to its IP address – refrains from leaking such information. Leaked information includes your IP address or IP network. Mozilla has actually partnered with Cloudflare to complete this process in a pro-privacy manner that I will expand on a bit below.
The Main Point
By now you might be wondering what I’m trying to get to, and that’s fair seeing I took some time to explain HTTP vs HTTPS and what DNS does. As for the point of this post, instead of sending DNS requests in a clear text manner, DNS requests can now be sent directly from your computer to Cloudflare’s DNS resolvers via HTTPS. From there, the DNS resolver will in turn limit the amount of information it reveals according to the QNAME minimization, or the DNS Query Name Minimization to Improve Privacy. In addition, instead of the requests originating from your network (and therefore your IP address), the request will now originate from Cloudflare directly.
Simple and easy to understand, right?
Conclusion and Takeaways
One thing I want to be sure to include in this post is that just because this new process is kicking in with Mozilla’s Firefox, this isn’t a solution for all threats. The blog post goes on to explain that even after obtaining a web server’s IP address in a more secure fashion, you still need to connect to that server and then to that website. Nowadays one IP address may be associated with numerous hostnames; this helps save IP addresses by associating a single IP address with more than just a single hostname – hosting providers are a great example of this.
Now the issue with this is that in order to establish an encrypted communication channel between you and said website, you must first connect to the IP address while mentioning which website on that IP address you want to connect to, and then work out an encryption algorithm. Therefore, network snoopers will still see which IP address and website you connect to, but that’s about all they have access to. One fun fact that I learned from the post is that if you access a different website that’s still on that same IP address, that channel will be encrypted from the get-go – something known as HTTP/2.
To recap, a lot of network traffic is passed along in clear text. The clear text content is readable by any network hop along the way – this is how tracking is done. HTTPS is used to limit the amount of leaked information by establishing a secured channel between network endpoints. Mozilla’s Firefox will now directly send DNS requests – which are in plain text – to a trusted DNS resolver (Cloudflare) using HTTPS instead of regular plain text. That DNS resolver will resolve a given hostname to its IP address for you using its own IP address instead of revealing yours. Once you get that IP address of your desired hostname, your browser then makes a separate request to said IP address specifying the desired hostname you’d like to reach – which is still unfortunately in plain text. From there, granted that the website uses HTTPS certificates, any data exchanged between you and the server will be encrypted there on out.
I think this is a great step in the right direction in promoting user privacy. I urge users to really consider rolling this out – be it business use or even home use. Don’t get me wrong, online ads can be great, but it’s also kind of creepy knowing that our Internet Service Providers can more or less profile us based on what we’re accessing and then sell that information.