DNS over HTTPS: things to consider when you go “private”

What it means for privacy, security, and parental controls, and whether there’s a way to have them all.

The term “DNS over HTTPS (DoH)” has been hitting the headlines in

the past month: Google announced its general availability in June, and in July, Mozilla was nominated for “2019 Internet Villains” by the UK Internet Services Providers’ Association (ISPA) for introducing DoH to Firefox (the nomination was later withdrawn due to a global outcry).

This epitomizes how a new technology is disrupting existing implementations – but not just to ISPs and government agencies. Let’s take a look at what benefits DoH brings (especially in light of the recent surge in global DNS hijacking activities), its implications on many things we’ve relied on or even paid for, and what may be the easiest, least disruptive way to have this “privacy-first” technology on your devices.

DNS over HTTPS: the future of web privacy

Most popular websites nowadays use HTTPS to encrypt connections and protect sensitive information such as passwords, credit card details, and Internet bank logins. However, DNS queries are still sent in plaintext.

For example, if you enter blog.synology.com into your browser, it will contact (often multiple) DNS servers, asking for their help until it finds the IP address associated with the domain blog.synology.com (e.g., 1.23.456.789).

Since the queries are in plaintext, any DNS servers that are contacted (like your ISP’s) plus any routers on the path to those DNS servers would be able to figure out which sites you’re visiting. Over time, the record becomes a comprehensive view of your web activities and can be used for purposes like advertising. Moreover, being able to see your DNS requests means that attackers can also change the response and redirect you to a scam website. This technique, called “DNS hijacking,” has already tricked people into handing over their login information for PayPal, Netflix, Gmail, and Uber back in April.

Here’s where DoH comes into play: the technology encrypts all your DNS queries with HTTPS so that only the DNS client (e.g., your browser) and the DoH server of your choice know which sites you’re going to. No one else does. It effectively stops outsiders from snooping on or even spoofing your web traffic.

Currently, Google, Cloudflare, and several other public DNS servers have DoH services available. Mozilla also partnered will Cloudflare to allow users to protect their activities in Firefox with DoH.

So why did ISPs in the UK name Mozilla an “Internet villain”?

Privacy vs. content filtering: a conundrum

First of all, ISPs in some countries are legally bound to retain subscribers’ browsing history for a given period of time (e.g., 12 months) to facilitate criminal investigations, which will be difficult to achieve when DoH becomes mainstream. It also makes it unlikely for ISPs to offer (paid) DNS-based parental control and malware protection services, because they can no longer see and intercept DNS queries for adult or malicious sites.

Actually, not only ISPs.

DNS-based content filtering is so prevalent that almost every parental control device (the thing you installed in your network, alongside your router) uses it, and many home security products (a.k.a. “home firewalls”) leverage it as a low false-positive way of identifying compromises. If DNS queries are now encrypted before passing through these products, they’ll cease to work, too.

This is why we said in the beginning that DoH is disrupting existing implementations – including for home users. On the other hand, it can be difficult to take advantage of DoH right now. Most apps and OS (Windows, macOS, etc.) don’t support DoH natively. Configuring it typically involves command line tools, and you need to do it on every device you want to protect.

DoH at the router level to “have them all”

It has almost become an instinct that whenever we saw complexity or repetitiveness in device-level configurations, we moved them to the router level. It’s where the Safe Access and Threat Prevention packages came from: to enable parental controls and network protection once and for all. This is especially important with the rapidly growing number of “unconfigurable” devices (such as IoT devices) in today’s households. In the same vein, we’re now introducing DoH in the latest Synology Router Manager (SRM) 1.2.3.

One checkbox – for all connected devices

Native DoH support on the router means that all DNS queries made by your devices are automatically encrypted with HTTPS as soon as they travel beyond your router. Simply select your preferred DoH server in SRM (Google, Cloudflare, or enter the URL of any other DoH server). In about two or three clicks, you can lock your whole network away from prying eyes.

DNS-based filtering still possible

Since the DNS queries are only encrypted when they go beyond the router, the DNS-based threat intelligence and parental control functionality in Safe Access continue to take effect.* For example, if your kid accidentally stumbles on an adult website, the router will intercept his DNS queries and show him your custom message instead. It’ll also encrypt the rest of his innocuous queries so that people outside of your network won’t be able to exploit his browsing history.

Leveraging a router’s unique role to combine the best of both worlds – it’s how SRM 1.2.3 hopes to make you safer and more private online.

What do you think about DNS over HTTPS? Have you tried it on any apps/OS or on SRM? Tell us on Synology Community.

* We recommend that you do not enable DoH on the devices but leave it to the router. If you want to prevent someone from enabling DoH themselves (e.g., on Firefox) to bypass web filtering, you can add the URL of the DoH server(s) to Safe Access’ block list. When a device fails to query the DoH server, it’ll fall back to the non-encrypted route.

** For those who use a self-hosted DNS server, enabling DoH will prevent the devices form querying the local DNS server and is currently not recommended.