Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

What is the Difference Between DNS over TLS & DNS over HTTPS?

DNS over TLS (DoT) and DNS over HTTPS (DoH) seem similar, and you might also be thinking that these two terms are used interchangeably for the same thing. No doubt, it does achieve the same thing, which is DNS encryption, but there’s one significant difference: the port used by them.

You might be questioning if they’re different, which one is better and is there any other differences except the port. There’s a lot to get into, and it’s even worth it, as it will give you a better idea about what’s the difference between the two – DNS over TLS and DNS over HTTPS and why it’s essential to know about it.

So, let’s get into details.

DNS: What Is It and Why It Needs TLS or HTTPS?

DNS (Domain Name System) is a decentralized and hierarchical naming system for services, computers, and other resources that are connected with the Internet or any private network. It converts the domain name typed into the browser to the IP address of its hosted Web server.
what-is-dns
To put it another way, DNS works like a helping hand to direct Internet traffic by connecting domain names with their respective web servers. So, once the user requests to open the website, for example, aboutssl.org – it will be translated into an IP address like 174.138.55.204.
In case if you don’t know what’s the IP address of your website, you can find using the below command.

For Windows:

In command prompt type,

tracert anydomain.com

command-prompt-tracert-command
If you’re an Apple user, it’s quite easier. In the search bar of Mac, type “Network Utility” and open it. Now, go to the Traceroute tab, and in the “Trace” field, enter your desired domain name and click the Trace button.
apple-network-utility-traceroute
Nevertheless, DNS requests are made via TCP or UDP protocols. In other words, it’s sent in plaintext.

Here’s Why We Must Encrypt DNS Requests

If you’re a citizen of the US, the UK, or Australia, then it’s quite easy to take freedoms and rights for granted, due to which our privacy is majorly overlooked. One particular thing is that DNS traffic can expose several valuable information. For instance, what a user is doing on the internet, website visited by the user, which email systems user is interacting with, software used by them, and much more.

Therefore, these revelations can create several implications like identity theft. For example, in the past September 2018, the Facebook data breach happened in which around 50-million people were affected. Also, if you’re from the US, the UK, or any other part of the western world, you might be aware, almost everything is accessible on the internet, except few illegal things.

facebook-update-on-security-incident
Furthermore, some parts of the world such as China, North Korea, Russia, Saudi Arabia, Iran, are some of the nations where citizen’s internet usage is restricted, and it can create a significant complication if the DNS requests remain open and not encrypted.

As per Freedom House, less than one-quarter of the world’s internet users are from the country where the internet is named Free. It means free in liberties and rights and not price. 36% of internet users belong to countries where it’s restricted entirely, and the other 28% are from where the internet is partially restricted.

distribution-of-global-users-cartogram-map
Hence, if you belong to such countries where the internet is limited, then it’s quite apparent that unencrypted DNS can reveal information about your internet usage, which can get you in serious trouble, including extra-judicially detained, or even being killed.

One of the real-life examples you can look upon is: The Great Firewall of China intercepts DNS Traffic for injecting or rewriting DNS responses. So, it’s but obvious why DNS encryption is so important.

So, these types of information must be protected from snooping. And, due to such scenarios, DNS PRIVate Exchange (DPRIVE) Working Group is developed by various communities and groups like IETF (Internet Engineering Task Force), operators, vendors, researchers, and open international community of network designers, for offering data privacy to transactions related to DNS. Because of these reasons, as an initiative, DNS is encrypted using cryptographic protocols like TLS (Transport Layer Security) or HTTPS, which are widely used for securing web servers and web browsers.

Let’s dig into it more and find out what’s the difference between these two DNS encryptions, i.e., DNS over TLS (DoT) and DNS over HTTPS (DoH).

Here’s How DNS over TLS & DNS over HTTPS Differs

No doubt, both the standards TLS and HTTPS encrypts DNS requests, but there’s a difference between DNS over TLS vs. DNS over HTTPS.
DNS over TLS DNS over HTTPS
As per the IETF DNS over TLS is defined as RFC 8484. As per the IETF DNS over HTTPS is defined as RFC 8310 and RFC 7858.
DNS over TLS uses TCP as the standard connection protocol and layers for TLS authentication and encryption. DNS over HTTPS makes use of HTTP/2 and HTTPS as the standard connection protocol.
DNS over TLS uses its own port, Port 853. DNS over HTTPS uses the standard HTTPS traffic port, Port 443.
DNS over TLS requests uses a distinct port, so anyone who’s on the network level can find and even block them. DNS over HTTPS requests can stay hidden in encrypted traffic.
DNS over TLS is a good option when the user doesn’t want to deal with the clients, which are provided by DNS referrers/forwarders. DNS over HTTPS is the right solution when other ports are blocked.

DNS over TLS or DNS over HTTPS: What’s the Better Standard?

If you look through the security point of view, both DNS over TLS (DoT) and DNS over HTTPS (DoH) are equally secure. So, it doesn’t make any difference from that point. Again, both functions differently. And, how secure both are, is entirely subjective depending upon its use cases. For instance, DoT can be improved in specific scenarios like DoH.

Furthermore, DoH seems quite beneficial for ad networks and trackers, as it brings DNS to the application layer, whereas DoT is quite suitable for layered abstraction.

Summary

Mapping names to an address via DNS is one of the cornerstones of the Internet. Traditionally DNS was using insecure unencrypted transports, which is definitely not a good idea, as it has been abused in many ways by Governments, ISPs which caused privacy leak.

To solve such privacy leak issues, DNS over TLS (DoT) or DNS over HTTPS (DoH) came into existence. Though these techniques are entirely new, but in the coming time, we will see its increased adaptation while shifting us further into the realms of the secured Internet.

Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More