Enabling DNS over Https (DoH) is a little consideration that yields big results. Let’s see what it means, why it should always be done, and how it is done. One can enable this browsing protection in a number of ways; in this article we explain how.
1. What it means to enable DNS over Https (DoH)
Enabling DNS over Https means enabling a measure that allows the user to surf the web with more peace of mind. However, let’s go in order and explain what DNS (Domain Name System) and Https means. When you type the address of a site in the appropriate field of the browser (Chrome, Edge, Safari), the browsing program translates the domain name of the site you want to visit (for example, flashstart.com) into the IP address of the server that hosts that website.
This is because computers do not understand words and letters but can only interpret sequences of numbers. Immediately after we type in the name of the site and click Submit, the browsing program, or the internet access provider activates a check. That is, it scans public lists on the internet where each domain name corresponds to the IP address of the server hosting it, usually a number sequence like 184.108.40.206 (the IP address of the server hosting the flashstart.com site). This process is called DNS lookup.
DNS lookup is done by “hopping” from one server to another, from one list to another. As soon as there is confirmation from several parties that a site matches a certain IP address, the pairing is authenticated, and the browser activates the connection, and we will see the requested site or page. The whole process happens in fractions of a second, to the point where no one notices how many jumps from one server to another are made before the desired site is viewed.
Enabling DNS over Https means being assured that the various steps between our request and the server containing the desired website are secure, because DNS lookup is a path potentially fraught with obstacles.
2. Why it is better to browse via Https
In fact, traditional DNS lookup is not encrypted. What does that mean? That all the activity that the user’s browser, or internet provider, performs is visible to those who know how to intercept it. Every step from one server to another until one reaches the desired domain is “in the clear.” That is true if one is browsing by following the classic Http protocol, or the set of rules defined by the web’s creator, Tim Berners-Lee, at Cern in Geneva in 1989. All computers and web browsers follow the rules of that protocol in order to allow browsing of the web.
Today, however, it is clear to everyone that the Http protocol is not secure, why? In the meantime because the process does not involve verifying what kind of site one wants to visit. So, the requested site could contain child pornography or material of any offensive nature. Also, it might contain malicious elements that can unleash malware or a Trojan. Then again, one cannot know if it is a phishing site.
However, there is also another problem, called DNS poisoning. It involves specific and widespread cyberattacks that are, unfortunately, seldom discussed. Basically, cyber criminals can modify the DNS tables contained in visited servers in order to fulfill a request. The modification is simple: replace the IP address with another so that the DNS redirects to a different site than the one requested, but the DNS lookup process cannot know this! Thus, a cybercriminal can easily intercept a DNS lookup path departed from the user’s computer and modify it.
Browsing “spoofing” has the consequence that the cybercriminal will know everything about the sites visited and will be able to intercept the information that a user enters on a web page, for example, login credentials to his own bank’s site. Alternatively, he will be able to make the user believe that he has ended up on the bank’s site but, in truth, has ended up on an identically constructed “owl” site, specifically to steal confidential credentials (phishing).
In essence, it is fully better to make a small change so that web traffic is encrypted; this means using the Https protocol, where the final S stands, obviously, for Security.
>> FlashStart protects you from a wide array of threats and blocks access to malicious sites → Try it now
3. How to activate DNS over Https (DoH)
The DNS over HTTPS (DoH) feature was introduced to prevent attackers from monitoring browsing habits or rerouting the user to malicious websites simply by spying on DNS traffic. Through DoH one protects DNS lookup by encrypting traffic by using the Https protocol.
It is possible to enable DNS over Https on any computer, device, or browsing program. It is easy, and it is free. As of 2022, there is DNS over Https support in all Windows-based corporate networks with Active Directory, for example. Apple has also announced DNS over Https (DoH) support, and the provider Cloudflare offers its DoH tool for all mobile and desktop operating systems.
In addition, many web browsers, including Google Chrome, Firefox, Safari, and Microsoft’s Edge, support DoH. This makes it possible to enable it on the browser, if we don’t feel like “fiddling around” at the operating system level. However, it is important to point out that enabling DoH on your operating system, will also protect your browsing from any applications and services that do not support DoH and that you may use on a daily basis.
4. Why enabling DoH is not the best choice
Using DoH at the operating system, browser, and Internet access provider (ISP) level is not the best choice one can make to protect browsing, especially in businesses, public administration, and educational institutions.
Enabling in DNS over Https, in fact, is (also) a way to circumvent any browsing restriction policies. In practice, DNS over Https creates a mechanism that overrides DNS settings set centrally by those running the corporate network. This poses a security risk to so-called endpoints-computers or smartphones accessing a corporate network-where customized browsing rules are applied using a special service, DNS filtering.
In practice, DNS over Https interferes with the DNS filters and default settings that a company imposes on anyone using its network to browse the Internet. And this is a serious problem.
>> FlashStart is a leader in competitiveness → Try it now
5. Best to protect browsing with a DNS filter
In conclusion, it is better to turn off DNS over Https and rely on much more reliable tools. Let’s talk about (level of) DNS filters, which, without getting into too many technicalities, we can safely say that they make us sleep between two pillows, even when our teenage son takes over the computer and unknowingly connects to the corporate network.
A DNS filter checks the goodness of the server that has that address, not falling for the tricks that malicious people can use in masking domain names, web page contents, and changing the path between the request and the site. DNS filtering checks to see if that server’s address is blacklisted. And the black lists that a professional filter exploits are far more comprehensive and up-to-date than any free site access control tool. Also, just to show its full potential, customizing a DNS filtering service includes disabling any DNS over Https.
>> FlashStart is totally in the cloud and easily activated → Try it now
FlashStart provides DNS filtering solutions available for businesses, schools and institutions, as well as for home browsing. And it is both a powerful and cost-effective alternative. Moreover, the value of the FlashStart solution lies in its ability to analyze with higher quality than any free filter all the stops on a path that makes a request for access to a site. But FlashStart’s DNS filtering also stands out for using machine learning algorithms to exclude dangerous paths a priori, thus speeding up the check. What’s more, FlashStart is able to use more up-to-date and more reliable DNS records in analyzing paths from user to requested site.
Capable of filtering about 2 billion website queries, FlashStart DNS protects the browsing of 25 million users every day, is present in more than 150 countries worldwide and in about 12 thousand businesses, schools, and public administrations, and is delivered, also in the form of a service, by 700 certified partners.
We summarize the features of FlashStart DNS Filter:
» Frequent updating of blacklists: FlashStart checks 200 thousand new sites per day.
» Guaranteed low latency (means speed between request and access).
» 90 categories of malicious sites and geoblocking to isolate dangerous countries.
» Use of Artificial Intelligence to improve the quality of blacklists and for latency.
» Ease of configuration and customization.
» Native integration with Microsoft’s Active Directory to speed up the work of system administrators in Schools, Institutions and SMEs.
» Worldwide LAN protection and roaming to end points via Anycast network.
>> FlashStart is the leader in cloud Internet Security and protects you against malware and undesired content → Try it now
You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.