DNS over TLS (Transport Layer Security) or “DoT” is an IETF standard that provides full-stream encryption between a DNS client and a DNS server. Clients and Servers use TCP port 853 to establish a TLS session to secure the DNS traffic.
DNS over HTTPS (DoH) is a second IETF security protocol that addresses DNC client and DNS server communication security. Both DNS over TLS and DNS over HTTPS provide for encryption between the DNS client and the DNS server, enabling data privacy and integrity. However, DoH uses the same TCP port used by other HTTP-S traffic, Port 443.
In this blog, we will talk about how to configure DoT/DoH on different browsers, OS and mobile devices.
DoH configuration on Mozilla Firefox (MAC):
- In the Menu bar of the Firefox browser, click Firefox and select Preferences.
- In the General panel, scroll down to Network Settings and click the Settings…
- In the dialog box that opens, scroll down to Enable DNS over HTTPS.
- On: Select the Enable DNS over HTTPS You can either choose a provider or set up a custom provider.
It is suggested to choose a custom provider (Internal Resolver) as external DNS Providers create problems such as lack of visibility and control, diminished subscriber experience and increased malware risk. In addition to that, Cloud DNS providers create numerous competitive, user experience and performance concerns.
DoH configuration on Mozilla Firefox (Windows):
- Navigate to the menu button and select Options.
- In the General panel, scroll down to Network Settings and click the Settings
- In the dialog box that opens, scroll down to Enable DNS over HTTPS.
- On: Select the Enable DNS over HTTPS You can either choose a provider or set up a custom provider.
DoH configuration on Google Chrome (Windows/MAC):
To enable DoH in Google Chrome, you first need to open Chrome’s settings. To do so, click on the triple-dot icon just under the “x” icon in the top-right corner, then click “Settings” in the drop-down list.
Next, click on “Privacy and Security” in the left column, or scroll down to the “Privacy and Security” section and click on “Security”. Then find the sub-section labelled “Use secure DNS” and click the slider on the right to the “On” position.
DoH configuration on Microsoft Edge (Windows):
To enable DoH on Edge, you first need to open Edge’s settings. To do so, click on the triple-dot icon just under the “x” icon in the top-right corner, then click “Settings” in the drop-down list.
Next, click on “Privacy, search and services” in the left column, and scroll down to the “Security” section”. Then find the sub-section labelled “Use secure DNS to specify how to lookup the network address for websites” and click the slider on the right to the “On” position.
DoH configuration on Android:
- Go to Settings → Network & internet → Advanced → Private DNS.
- You can either set this option to Automatic or you can specify a secure DNS provider yourself.
Encrypted DNS services on MacOS Big Sur:
To use Encrypted DNS services on MacOS Big Sur, we need to install a configuration profile. This profile would direct the operating system to use DOH / DOT.
For instance, in this example I am using one of the DNS Services namely NextDNS for using the encrypted DNS service on MAC BigSur,browse to https://apple.nextdns.io/ and enter the required information.
After downloading the profile, you need to go to the System Preferences→Profile on your MAC and install it. Once you install the profile, the DNS servers mentioned in the profile would be used. In case you need to check the internal workings of the profiles, you can visit developer.apple.com for more information.
Helpful Links:
https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
https://developers.google.com/speed/public-dns/docs/doh
