DNS Encryption explained - DNS over TLS (DoT) & DNS over HTTPS (DoH)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
today let's talk about DNS encryption so currently there are two main approaches of their the one is DNS over TLS and the second one is DNS over HTTP why should you even care about that how do they actually work and what are the differences and which role do they play in the IT industry if you want to know that and keep watching hi everybody welcome to the digital life my name is Christian and I'm always teaching you how to become a real IT professional so if you are interested in learning Linux Python networking cloud and all those stuff then don't forget to subscribe to my channel lately there was a lot of stuff going on with DNS encryption so Google has just announced that they will support DNS over HTTPS in their Chrome browsers Microsoft has announced to support DNS over HTTPS in Windows 10 and motts allah has revealed that firefox will enable dns over https by default in the complete United States I think it is time to talk about DNS encryption and why should you even care about that and we will start right now so when you want to browse a web site or access a server by name your computer will actually send out a DNS request to your private home router that will mainly ask your ISP to give you the IP address of the extra destination host this is done we are a DNS request and the packet is completely unencrypted that means your ISP or our basically anyone in between your computer and the destination DNS server can read inspect the traffic can actually see which websites you are browsing or which servers you are trying to resolve so this actually wasn't a big deal for a long time the DNS protocol exists for decades without any major change to security or anything else for many many years so why is everybody talking about it now I think this is mainly because some companies are really trying to push that technology forward we have seen something similar with HTTP like Google with a Chrome browsers are trying to enforce people to access websites only via the HTTPS protocol that means only we are encrypted traffic and encrypting DNS packets is just basically the next step so the main goal of DNS encryption is to increase security increase privacy but we will have a look at this later because I think this is not only a good thing there are a lot of concerns and problem with this technology in actually how companies dealing with that but let's discuss that later let me first explain to you how DNS is really working and how these two main approaches DNS over TLS and DNS over HTTP look on a network layer so let me share my screen with you guys and I can demonstrate that to you so when your computer tried to resolve an IP address by name it will send out a DNS request to your main DNS server the packet will look like this it start with the basic IP protocol that mainly contains the IP address of your DNS server for example let's just fill in the IP address of google.com usually this is distributed via the DHCP server of your private network but let's just assume this is configured to use this IP address on top of the IP protocol we will add the UDP protocol which is a stateless protocol and operates on port 53 that is the port for DNS requests and on top of that we have our DNS protocol the DNS protocol contains mainly the name of the server you want to resolve the IP address 1 so this will be the name of the website or the server you want to get the IP address from so this packet is completely unencrypted anyone that intercept this packet can filter in inspect it mainly I species or government's filter that to check which websites as citizens are really browsing in order to improve security and privacy people have implemented two main approaches to encrypt that data so first let's have a look at DNS over TLS how that is working so we will start again with the same IP protocol and let's just assume we will open a DNS over TLS a connection to this DNS host on top of that we add the protocol but we are not sending out UDP requests instead we are using the TCP protocol and this uses the port 853 to differentiate these requests from the unencrypted DNS requests on top of that we add a new layer and this is a TLS protocol the TLS protocol will encrypt all the data and on top of that we still have our DNS protocol so this is also requesting a name and try to resolve an IP address so because of the TLS protocol this request is completely encrypted from here so your ISP or basically anyone in between can't inspect this traffic anymore because it's encrypted and that is basically how DNS over TLS is working DNS over TLS is very easy to detect because it uses this Pothier the 853 let me do a short demonstration how you can do that so I have installed on my windows subsystem for Linux a DNS server called stubby and configured this server to use DNS over TLS requests to the CloudFlare server to do that just start stubby with root permissions and I will set it to verbose mode seven so you can actually see the log files so our DNS over TLS server is just started let's do a DNS query because I haven't configured my Linux subsystem to use the local DNS server yet let's just do it nslookup to the digital life comm and say hey please use the localhost as your DNS server now let's execute this request and you can see the stubby server has received the DNS lookup and forwarded this to the cloud server let's have a look in Wireshark how this network packet will look like you can see our client is opening a DNS over TLS connection this assistant packet and we can see this is support 853 for DNS over TLS you can see it's doing a TLS version 1.3 connection and this is using a shortened version of the handshake it's basically just sending out the client hello gets back a server hello so we cannot inspect the traffic anymore you can see these DNS requests are completely encrypted when we try to open it this is an encrypted payload data now let's have a look at DNS over HTTP it may sound similar but it uses a different approach to encrypt the data so instead of using the TCP protocol on pot 853 which is DNS over TLS we are using the port 4 for free which is basically the same as normal HTTP connections because it is a normal HTTP connection let me show you so we know at the TLS protocol again TLS and encrypt the data but on top of that we don't add a DNS protocol instead we're using just the HTTP protocol and we are sending out a get or a post requests so this is defined in the RFC that you can send either get or a post request to a ul and use this path extension here DNS - request and as a parameter you append DNS equal and then the name you want to resolve the web server need to take care of differentiating HTTP requests and DNS requests and currently they are not many servers that actually support DNS over TLS or DNS over HTTP yet mainly companies like Mozilla Google and CloudFlare are really pushing that forward so let's just create some packets again and have a look on Wireshark how these packets are looking like to do that let's just start a DNS over HTTP server on our windows subsystem for linux and i have already downloaded one this is DNS s let's enable DNS - HTTP also need to execute that with root permissions let's test that so to do that we again will execute nslookup that digital life comm on localhost and you can see we have now resolved IP address now let's have a look in Wireshark and you can see it opens a connection a normal HTTP connection you can see it here it uses a TLS 1.2 protocol so therefore it has a slightly different handshake and you is to pickets more you can see it here after the sin connection it uses a client hello the sava hello comes back and then it will exchange the service and the client certificates you can also see that actually looks like just a normal HTTP requests and port for for free and that is also the main problem or the main advantage depends on how you see that because it's hard for anyone to differentiate between a normal HTTP connection and a DNS request and this is also the main disadvantage and the main point people are criticizing with that because you actually can't do DNS filtering anymore and this also becomes a problem for countries like the UK because they are required to store 12 months which websites the citizens are browsing and they mainly do this we are DNS filtering so people are saying this is great for privacy because is peace and governments can look up your websites anymore your browsing but that's just half of the truth because when you send out an HTTP request to browse the website you are still sending out an unencrypted S&I so anyone can look up the URL you are browsing but it's harder for ISPs or governments to really inspect that because DNS is a very well established protocol and many technologies rely on DNS filtering or DNS inspection the other thing you need to consider is there are not many servers that actually support gainers over HTTP now let's mainly companies Google Cloud Flair or Mozilla they are offering DNS servers with DNS of HTTP connection so you can say ok I just send on my requests encrypted some is being government can't see them but you actually provide are you are sending these requests to can see it so you are mainly just switching from eyes piece to big cloud environments or blick cloud content delivery networks so you can see they are not just advantages there are also some disadvantages and there are some considerations you need to be aware of however I think we need something new we need a new network protocol to encrypt all the data we are sending out however I'm not satisfied with how companies are dealing with their topic anyway I think it's very interesting to see how that will come up in the future and how that will evolve I hope you liked this video and you could learn something new and if you enjoyed this then please hit the like button so I know this is valuable to you and I can do more videos about networking and network protocols because I think this is a very interesting topic everyone should care about anyway so thanks everybody for watching enjoy the rest of your day take care of yourself and I see you [Music]
Info
Channel: The Digital Life
Views: 13,447
Rating: undefined out of 5
Keywords: networking, dns, dns over https, dns over tls, dns encryption, domain name system, dns over https cloudflare
Id: 6hLHMA_tJ8k
Channel Id: undefined
Length: 12min 21sec (741 seconds)
Published: Thu May 28 2020
Related Videos
NLNOG 2019 - DNS over HTTPS considerations - Bert Hubert
NLNOG
8.9K
How HTTPS Works (...and SSL/TLS too)
Viatto
18K
Transport Layer Security (TLS) - Computerphile
Computerphile
266K
DNS Over TLS On pfSense 2.4.5
Lawrence Systems
31K
Docker Networking Tutorial // ALL Network Types explained!
The Digital Life
13K
TLS Handshake Explained - Computerphile
Computerphile
270K
How a DNS Server (Domain Name System) works.
PowerCert Animated Videos
3.1M
DNS over HTTPS
F5 DevCentral
14K
IETF 108: Technology Deep Dive on DNS
IETF - Internet Engineering Task Force
6K
SSL, TLS, HTTP, HTTPS Explained
PowerCert Animated Videos
1.6M
http vs https | How SSL (TLS) encryption works in networking ? (2021)
IT k Funde
49K
DNS over HTTPS Testing With Firefox and What it Means for Web Filtering and Privacy
Lawrence Systems
39K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.