DNS over HTTPS vs DNS over TLS (and questions for family tech support)

[Mikaela]

This represents my views, not those of PrivacyGuides. If you are using a VPN, consult website of your VPN provider.

Both DoH and DoT encrypt DNS. DoH uses HTTPS for it and is thus in the usual HTTPS port 443, there isn't much for me to say about it, DoT is just usual DNS within a TLS tunnel in port 853.

Modes of DNS over TLS

DNS over TLS has two modes, three if you count off.

Opportunistic

Also known as automatic mode on Android

In opportunistic mode, your DoT client will attempt to DNS server provided by your network (DHCP) over TLS, if it works, great, you have DoT, if not, then you are using plaintext DNS. This mode is vulnerable to MITM and downgrade.

Strict

Also known as on/enabled on Android?

In strict mode, the DoT client has been giving DNS server to use explicitly and if there is no valid connection to it, your DNS will simply not work. Authenticity of the DNS server is validated and unless your client is trusting a invalid certificate, there is no MITM or downgrade.

Which is better

I cannot give one clear cut answer, there are several:

• Family ICT support: whatever is less intrusive. In Android DoT. In iOS both are equally difficult/hidden.
• Wishing to see a diverse internet that has more than internet giants and VPN providers within it: DNS over TLS works against centralization by having the automatic mode. A lot of critique about encrypted DNS centralising the internet is about DoH.
• Net/sysadmin: DNS over TLS is easier to distinguish and manage due to it using a separate port.
  • Common critique against DoH is fear on every app on your system starting to use it and connecting different servers. It's also more difficult to manage in corporate firewall.
• weak Android that has no resources for additional apps: DNS over TLS
• Just want to get connected: DNS over HTTPS is more likely to work on public WiFi as port 853 isn't so well known and there is less incentive for allowing it in firewall.
• I use a VPN: check if your VPN provider has either, otherwise don't.

What do I do

I don't currently have an Android device, the latest is SailfishOS with Android App Support.

• Linux (mainly in that order: Fedora, Debian, Ubuntu): DoT (neither Unbound or systemd currently implement DoH as a client, DNSCrypt (as a different topic) tends to not be packaged for my distributions, but I haven't checked recently)
  • additionally VPN to not have IPFS kill my router constantly, my provider does provide DoT
• iOS (including family): DNS over HTTPS
• Android >= 9: DNS over TLS as it's trivial to enable in Settings -> Network -> Advanced -> Private DNS
  • when using a VPN: connecting to a VPN disables private DNS until it's disconnected, so I would still use it. Technically VPN clients should do this also on computers.
• Android < 9: install Nebulo and enable DNS over HTTPS
  • This could be done on newer versions, but they would appear as a VPN and Android would either disable it at times or prompt that always on VPN is disconnected or require reconnections to network and similar which is unacceptable for family tech support.

Obligatory disclaimer

Encrypted DNS (excluding DoT-automatic) will protect your connection to the DNS server from tampering/hijacking/redirecting (ISP forwarding all queries to theirs regardless of whatever plaintext DNS server is configured). The DNS server can still lie, unless your DNS client is validating DNSSEC and the zone you are accessing is properly DNSSEC signed. Your ISP or VPN will still see all sites you visit.

Family ICT support questions

• Are you family ICT support person?
• Do you setup a VPN for them? Do they use encrypted DNS? Or do they only use HTTPS (no VPN, no encrypted DNS)?
• Do they care about their ISP or VPN seeing the domains they visit such as facebook.com or google.com?
• If they use a VPN
  • How much does it cost for you or do they pay it? How did you explain the need for them?
  • Do they care about leaking their IP address?
  • How do you handle situations where the VPN is not working or otherwise gives technical prompts such as aforementioned "Always on VPN is disconnected"?
  • Can your family disable the VPN either accidentally or intentionally?

[Mikaela]

This was inspired by disagreement in the team room about DoH vs DoT, and I am perceiving an attitude shift in who is the target audience of Privacy Guides. It used to be for everyone, now I am starting to see it as people with moderate ICT knowledge and high income. It used to promote Tor and now I think it's starting to promote VPN as the ultimate answer to everything.

I think the scenario that I have been bringing in without entirely noticing is family tech support people and those who don't have the money to be throwing at a VPN provider in addition to internet connection (if they can even think of that with food and homes costing too).

I think family tech support and lower end devices can still appreciate the encrypted DNS section which offers suggestions on providers with malicious domain filtering and adblocking.

[ignoramous]

You are not even just simply shifting threats like with a VPN, you are trusting 2 parties with your browsing habits (the ISP and the DNS provider) now.

But: I am my own DNS provider, which is running DoH, so it doesn't suffer from the perils of DNS reflection and UDP flood attacks. I can now switch to the newly standardized HTTP/3 protocol that has built-in resistance against protocol, data, and flow fingerprinting attacks (even, most VPN deployments do not have that!) for an added bonus.

[TommyTran732]

You are not even just simply shifting threats like with a VPN, you are trusting 2 parties with your browsing habits (the ISP and the DNS provider) now.

But: I am my own DNS provider, which is running DoH, so it doesn't suffer from the perils of DNS reflection and UDP flood attacks. I can now switch to the newly standardized HTTP/3 protocol that has built-in resistance against protocol, data, and flow fingerprinting attacks (even, most VPN deployments do not have that!) for an added bonus.

Your upstream DNS servers can figure out what your DNS server is trying to resolve when it make queries asking for new records. If that upstream is the ISP, then congratulations, this is little different from just using their DNS servers anyways. If that upstream is a third party (say cloudflare for example), then you still need to trust that upstream to not log you. Unless you run a public DNS server, they can trivially figure out it's you making those requests, because you are the only using said server. This is like running your own VPN server, but worse.

[ignoramous]

If that upstream is a third party (say cloudflare for example), then you still need to trust that upstream to not log you.

Folks can and do run recursive resolvers without needing an upstream.

Unless you run a public DNS server, they can trivially figure out it's you making those requests, because you are the only using said server.

Who can trivially figure out what, now? You may be mistaken about how DNS resolution works.

This is like running your own VPN server, but worse.

You lost me. But I think we've discussed enough... Any more, and we might start getting sick of each other :) I appreciate your inputs, and I completely get your stance. I know where you're coming from... you and I, we understand technology deeply enough to debate encrypted DNS' limitations (most of your points are perfectly valid!). All that said, in the real world, DoH is far from being useless, and in fact fares much better in most scenarios, despite its bare limitations.

[TommyTran732]

What are you even talking about... You lost me too. Your recursive server will contact other servers asking for the IP address until it finds it..
https://www.cloudflare.com/learning/dns/what-is-recursive-dns/

Those server can see exactly which server is asking for what records... and unless your DNS is a public servers with a lot of users, of course all of the look ups that your server does is whichever websites you personally visit...

[ignoramous]

Your recursive server will contact other servers asking for the IP address until it finds it...

Run a stub resolver forwarding over Oblivious DoH or Anonymous DNSCrypt, if this is also a concern. Both these protocols do not require a VPN setup, at all, to mitigate client IP leaks. Anyways, like I said, anyone can keep digging up holes for the sake of it. So: Let's agree to disagree, and give this a rest (:

[dngray]

The current DNS page and guide addresses when to use encrypted DNS.