There are two main methods for encrypting DNS communication : DNS over HTTPS and DNS over TLS. IEEE Spectrum, the Journal of Electrical Engineering In the United States, discusses the difference between the need to encrypt DNS and the two encryption methods.
Queries and responses to DNS servers that look up IP addresses from domain names such as “gigazine.net” It is usually done in plain text without encryption. Therefore, the “which domain to access” information was out of the way, and it was possible for the query to be intercepted and redirected to a different address. As a result, encryption has been an urgent task from a security perspective.
Because of the so many disadvantages of plain text communication, there was no objection to the need for encryption. However, IEEE Spectrum said, “There is a debate as to whether to use the ‘DNS over HTTPS’ or ‘DNS over TLS’ encryption method.” DNS over TLS is a DNS encryption method based on Transport Layer Security (TLS), a protocol for security communications. DNS services provided by major companies such as Cloudflare and Google already support DNS over TLS. However, with DNS over TLS, all encrypted packets are exchanged on port 853. IEEE Spectrum points out that the content of the communication is encrypted so that third parties do not know that they are communicating, so “it is not considered to be privacy.”
Another drawback of DNS over TLS is that both hardware and applications must support the TLS protocol. If either the hardware or the application cannot establish a connection, DNS over TLS protection is not enabled. ON the other hand, DNS over HTTPS is a DNS encryption method based on Hypertext Transfer Protocol Secure (HTTPS) and is a later technology than DNS over TLS. Because DNS over HTTPS exchanges queries through port 443, which is the same as normal web access, it is impossible to identify only DNS queries from traffic.
In addition, BEcause HTTPS is a well-used technology, it is supported by most hardware and applications. In this regard, DNS over HTTPS is superior to DNS over TLS. In September 2019, Firefox and Chrome supported DNS over HTTPS. On November 20, 2019, Microsoft announced its prospect of “making Windows compatible with DNS over HTTPS in the future.” Microsoft Agrees with “Encryption of DNS Connections” and Considers Windows In The Future – GIGAZINE
On the other hand, there are concerns about DNS over HTTPS. One of them is the monopoly of information. When DNS over HTTPS is turned on in each browser, DNS queries from Firefox are basically sent to Cloudflare, and DNS queries from Chrome are basically sent to Google. In other words, Cloudflare and Google monopolize information about where people are trying to connect. Mozilla, which provides Firefox, has announced that “if we use Firefox with the default settings, we will change it to ignore existing DNS settings and connect to Cloudflare’s 184.108.40.206 service.”
Google has already released a specification change that says, “If you are using a DNS provider that supports DNS over HTTPS, automatically communicate chrome over DNS over HTTPS.” Chromium Blog: Experimenting with Same-Provider DNS-over-upgradehttps://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html HTTPS
Another problem with DNS over HTTPS, which IEEE Spectrum points out, is that “filtering and parental control are difficult.” Because DNS over HTTPS encrypts all communications, you can’t distinguish between “access to malicious and prohibited sites.” Therefore, it is difficult for ISPs to regulate connections to malicious or prohibited sites. “In a web browser, you should be able to decide which DNS provider to use and which DNS provider to use in a web browser.”