DNS over TLS and DNS over HTTPS are two standards developed for encrypting plaintext DNS traffic in order to prevent malicious parties, advertisers, ISPs, and others from being able to interpret the data.

DNS over TLS

DNS over TLS, or DoT, is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications. (TLS is also known as “SSL.“) DoT adds TLS encryption on top of the user datagram protocol (UDP), which is used for DNS queries. Additionally, it ensures that DNS requests and responses are not tampered with or forged via on-path attacks.

DNS over HTTPS

DNS over HTTPS, or DoH, is an alternative to DoT. With DoH, DNS queries and responses are encrypted, but they are sent via the HTTP or HTTP/2 protocols instead of directly over UDP. Like DoT, DoH ensures that attackers can't forge or alter DNS traffic. DoH traffic looks like other HTTPS traffic – e.g. normal user-driven interactions with websites and web apps – from a network administrator's perspective.

In February 2020, the Mozilla Firefox browser began enabling DoH for U.S. users by default. DNS queries from the Firefox browser are encrypted by DoH and go to either Cloudflare or NextDNS. Several other browsers also support DoH, although it is not turned on by default.

Oblivious DNS over HTTPS

但 DoH/DoT 的推出也引发了两个问题,其一是 DNS 的中心化引入了单点故障,其二是解析器仍然可以将所有查询关联到客户 IP 地址。为了更好的保护用户隐私,Cloudflare、Fastly 和苹果的工程师合作开发了新的协议 ODoH(代表 Oblivious DNS over HTTPS)。

ODoH 加入了一个公钥加密层以及客户端和 DoH 服务器之间的网络代理,确保只有用户才能访问 DNS 信息及其 IP 地址。工程师们用 Rust、Go 等语言实现了互操作 ODoH 实现并将其开源,Cloudflare 的公共 DNS 服务器 1.1.1.1 已经能支持 ODoH 查询。Firefox 已经表达了支持 ODoH 的意愿。

Different between DoT & DoH

Each standard was developed separately and has its own RFC* documentation, but the most important difference between DoT and DoH is what port they use. DoT only uses port 853, while DoH uses port 443, which is the port that all other HTTPS traffic uses as well.

Because DoT has a dedicated port, anyone with network visibility can see DoT traffic coming and going, even though the requests and responses themselves are encrypted. In contrast, with DoH, DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port.

https://tools.ietf.org/html/rfc7858 - Specification for DNS over Transport Layer Security (TLS)
https://tools.ietf.org/html/rfc8310 - Usage Profiles for DNS over TLS and DNS over DTLS
https://tools.ietf.org/html/rfc8484 - DNS Queries over HTTPS (DoH)

除 DoT, DoH 外还有 DNSSEC, DNSCrypt 等安全DNS协议

DNSSEC

DNSSEC是“Domain Name System Security Extensions”的缩写,代表域名系统安全扩展,允许域名所有者对DNS记录进行数字签名,签名DNS记录的私有签名密钥通常仅由合法域名所有者持有,因此可防止未经授权的第三方修改DNS条目。

DNSSEC诞生于1997年,已经列入互联网标准化文档(参考RFC 4033、RFC 4034、RFC 4035),是最早大规模部署的DNS安全协议,所有的根域名服务器都已经部署了DNSSEC。

虽然DNSSEC已经诞生20年,但APNIC统计其采用率几乎不到19.3%,ICANN敦促业界普及使用DNSSEC协议。不过,DNSSEC协议仅提供真实性和完整性的校验,无法确保DNS流量通信的机密性。


DNSCrypt

DNSCrypt是OpenDNS发布的加密DNS工具。与SSL将HTTP流量转换为HTTPS加密流量的原理相同,DNSCrypt也是将常规DNS流量转换为加密DNS流量,这样可以防止窃听和中间人攻击。它不需要对域名或它们的工作方式进行任何更改,只是提供了一种方法,安全加密客户端与DNS服务器之间的通信。在一定程度上,DNSCrypt比DNSSEC的保密性更强,因为DNSSEC只做数字签名的校验,而DNSCrypt既能加密DNS流量也能确保完整性。

不过,DNSCrypt客户端必须明确信任所选提供者的公钥,想使用哪个DNSCrypt服务器,就需要预先安装该服务器的公钥,而不是通过常规浏览器中受信任证书颁发机构列表获取信任;此外,DNSCrypt未申请列入标准化文档,在大规模的应用场景中存在一定的局限性。

https://dnsprivacy.org/ - DNS Privacy Project
https://datatracker.ietf.org/wg/dprive/documents/ - DNS PRIVate Exchange (dprive)
https://developers.google.com/speed/public-dns/docs/dns-over-https - DNS-over-HTTPS
https://security.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html - DNS over TLS support in Android P Developer Preview
https://www.cloudflare.com/learning/dns/dns-over-tls/ - DNS over TLS vs. DNS over HTTPS | Secure DNS
https://yq.aliyun.com/articles/693098 - 4种DNS安全协议对比:DNSSEC,DNSCrypt,DNS over TLS,DNS over HTTPS