The Domain Name System (DNS) is widely regarded as the phonebook of the internet, converting domain names into information that can be read by computers, such as IP addresses.
Whenever you write a domain name into the address bar, the DNS automatically converts it into its corresponding IP address. Your browser uses this information to retrieve the data from the origin server and load the site.
But cyber criminals can often spy on DNS traffic, making encryption necessary to keep your web browsing private and secure.
What Are DNS Encryption Protocols?
DNS encryption protocols are designed to increase the privacy and security of your network or website by encrypting DNS queries and responses. DNS queries and responses are regularly sent in plain text, which makes it easier for cybercriminals to intercept and tamper with the communication.
DNS encryption protocols make it increasingly difficult for these hackers to view and modify your sensitive data or disrupt your network. There are various encrypted DNS providers that can shield your queries from prying eyes.
The Most Common DNS Encryption Protocols
There are several DNS encryption protocols in use today. These encryption protocols can be used to prevent snooping on a network by encrypting traffic either within the HTTPS protocol over a transport layer security (TLS) connection.
1. DNSCrypt
DNSCrypt is a network protocol that encrypts all DNS traffic between the user's computer and general name servers. The protocol uses public key infrastructure (PKI) to verify the authenticity of the DNS server and your clients.
It utilizes two keys, a public key and a private key to authenticate the communication between the client and the server. When a DNS query is initiated, the client encrypts it using the server's public key.
The encrypted query is then sent to the server, who decrypts the query using its private key. This way, DNSCrypt ensures that the communication between the client and the server is always authenticated and encrypted.
DNSCrypt is a relatively older network protocol. It has been largely superseded by DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) due to the broader support and stronger security guarantees provided by these newer protocols.
2. DNS-over-TLS
DNS-over-TLS encrypts your DNS query using Transport Layer Security (TLS). TLS ensures that your DNS query is encrypted end-to-end, preventing man-in-the-middle (MITM) attacks.
When you use DNS-over-TLS (DoT), your DNS query is sent to a DNS-over-TLS resolver instead of an unencrypted resolver. The DNS-over-TLS resolver decrypts your DNS query and sends it to the authoritative DNS server on your behalf.
The default port for DoT is TCP port 853. When you connect using DoT, both the client and the resolver perform a digital handshake. Then, the client sends its DNS query through the encrypted TLS channel to the resolver.
The DNS resolver processes the query, finds the corresponding IP address, and sends the response back to the client through the encrypted channel. The encrypted response is received by the client, where it's decrypted, and the client uses the IP address to connect to the desired website or service.
3. DNS-over-HTTPS
HTTPS is the secure version of HTTP that's now used for accessing websites. Like DNS-over-TLS, DNS-over-HTTPS (DoH) also encrypts all information before it's sent over the network.
While the goal is the same, there are some fundamental differences between DoH and DoT. For starters, DoH sends all encrypted queries over HTTPS instead of directly creating a TLS connection for encrypting your traffic.
Secondly, it uses port 403 for general communication, making it difficult to differentiate from general web traffic. DoT uses port 853, making it much easier to identify traffic from that port and block it.
DoH has seen wider adoption in web browsers like Mozilla Firefox and Google Chrome, as it leverages the existing HTTPS infrastructure. DoT is more commonly used by operating systems and dedicated DNS resolvers, rather than being directly integrated into web browsers.
Two major reasons why DoH has seen wider adoption is because it's much easier to integrate into existing web browsers, and more importantly, it blends seamlessly with regular web traffic, making it much harder to block.
4. DNS-over-QUIC
Compared to the other DNS encryption protocols on this list, DNS-over-QUIC (DoQ) is fairly new. It is an emerging security protocol that sends DNS queries and responses over the QUIC (Quick UDP Internet Connections) transport protocol.
Most internet traffic today relies on the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), with DNS queries usually sent over UDP. However, QUIC protocol was introduced to overcome a few drawbacks of TCP/UDP and helps to reduce latency and improve security.
QUIC is a relatively new transport protocol developed by Google, designed to provide better performance, security, and reliability compared to traditional protocols like TCP and TLS. QUIC combines features of both TCP and UDP, while also integrating built-in encryption similar to TLS.
Since it's newer, DoQ offers several advantages over the protocols mentioned above. For starters, DoQ offers faster performance, reducing overall latency and improving connectivity times. This results in faster DNS resolution (the time it takes for the DNS to resolve the IP address). Ultimately, this means websites are served to you faster.
More importantly, DoQ is more resilient to packet loss when compared with TCP and UDP, as it can recover from lost packets without requiring a full retransmission, unlike TCP-based protocols.
Furthermore, it's much easier to migrate connections using QUIC too. QUIC encapsulates multiple streams within a single connection, reducing the number of round trips required for a connection, and thereby improving performance. This can also be useful when switching between Wi-Fi and cellular networks.
QUIC is yet to be widely adopted as compared to other protocols. But companies like Apple, Google, and Meta are already using QUIC, often creating their own version (Microsoft uses MsQUIC for all its SMB traffic), which bodes well for the future.
Expect More Changes to DNS in the Future
Emerging technologies are expected to fundamentally change the way we access the web. For instance, many companies are now leveraging blockchain technologies to come up with safer domain naming protocols, like HNS and Unstoppable Domains.