Encrypted DNSs: pros and cons

Avoiding the security problems associated with encrypted DNS

Encrypted DNSs offer the advantage of providing greater privacy for internet users and making it more difficult for data exfiltration and hijacking to other sites during the resolution of a DNS query. However, doubts arise about the security they actually provide. In this post, we will explain how the tools offered by FlashStart make the use of encrypted DNSs more secure.

1. What a DNS is

The DNS – Domain Name System – is what we might call the telephone book of the internet. Every website, in fact, can be traced back to a series of numbers and dots, the so-called IP – Internet Protocol – address, which uniquely identifies it. In addition, electronic devices are also equipped with a unique IP address. In this way, communication can take place just like between two telephone numbers, with one calling and the other answering.

DNS protocol is the system that allows the name of the searched domain or site, which is easy to remember or identify in a list of search results, to be translated into the sequence of numbers and dots recognized by the internet. Once this is completed, which takes such a short time that the average user does not realize what is happening, the browser redirects the user to the desired site.
More specifically, with each of our requests for the loading of a web page, we are operating four servers in a process that can be compared to that of requesting a book from the library.

2. DNS Recursor

It is a recursive resolver that receives queries (requests for redirection to web sites) which usually originate in a web browser. For each request, it caches the information received from the other servers involved in the process. In this way, if a user narrowly requests access to the same site several times, the recursive resolver can bypass the four-server process and redirect the user directly to the desired site. This is possible because the DNS recursor is the server that holds the strings of the query-related process, sending requests to the other servers as it receives their responses.

Comparing the DNS resolution process to that of a library request, the DNS Recursor would correspond to the librarian to whom we make our request.

3. Root nameserver

The root nameserver is the first step in the actual resolution and is responsible for directing the recursive resolver request based on the extension of the domain sought (.net, .org, .it, .com, etc.). There are 13 root nameserver in the world. They are controlled by an organization called the Internet Corporation for Assigned Names and Numbers (ICANN), which operates under the mantra of “One world, one internet.” There are several copies of these thirteen servers around the world, which, thanks to the Anycast network on which FlashStart is also based, make it possible to respond quickly to user requests.

In comparison with library services, the root nameserver corresponds to the library catalog in which the specific location of a particular book is listed.

4. Server TLD nameserver

This is the TLD server–Top Level Domain – that is, the one corresponding to what is after the last dot in the URL. For example, the .com TLD nameserver includes all cataloged websites whose URL ends in .com.

These servers are managed by IANA – the Internet Assigned Numbers Authority – which is a subsidiary of the aforementioned ICANN. IANA has divided TLD nameservers into two categories: generic ones (such as .com, .edu, .gov, .org, and .net) and those with international codes, which include all domains traceable to specific countries or states (.de, .es, .it, .uk, etc.).

In our library metaphor, the TLD nameservers correspond to the specific shelf of books within the library.

5. Authoritative nameserver

The authoritative nameserver is the last step in the DNS resolution process for obtaining the IP address and is, therefore, comparable to a dictionary on the shelf, that was previously identified, and allows a name to be converted into a specific definition.

If the authoritative nameserver has access to the requested information, it returns the IP address directly to the recursive resolver.


>> FlashStart protects you from a wide array of threats and blocks access to malicious sites → Try it now


6. Encrypted DNSs

Usually, DNS queries and their responses occur in plaintext, that is, using unformatted text that does not have any kind of encryption. This means that, for example, when we search for www.flashstart.com, the various servers look for exactly the .com domain and then from there the name flashstart. In the case of encrypted DNS, on the other hand, the search is for an encrypted code, e.g. 4&s$(“71ha – so something that is undecipherable.

The use of encrypted DNSs is made possible by the DNS over HTTPS protocol – known as DoH for short – which allows users to complete Domain Name System resolution using the HTTPS protocol. Compared to traditional DNS, this protocol appears more secure and seems to be a better choice for protecting user privacy.

How does it work? Instead of using plain text transmission, the browser forwards the query and, therefore, the name of the searched site to an HTTPS server via an encrypted connection. The idea is that, with an encrypted connection, outsiders should not be able to interfere in the search in order to figure out which sites one wants to reach.


You can activate FlashStart® Cloud protection on any router or firewall in order to secure your desktop and mobile devices and IoT devices on local networks


6.1 Encrypted DNSs: are they really more secure?

There are many Internet Service Provider who express doubts about the greater security of the DoH protocol compared to the traditional DNS protocol. The doubts are concerned with, on the one hand, the performance of encrypted DNSs, which has been shown to be inferior to traditional DNS, and, on the other hand, the actual privacy that this protocol can guarantee.

Regarding the first point, more information on how DNS over HTTPS works can be found in our dedicated article.

On the security side, on the other hand, the DoH protocol reduces the likelihood of intermediate attacks which result in the manipulation of DNS data – so-called “man-in-the-middle” attacks that aim at stealing our information without our being aware of it and, perhaps, diverting our requests to dummy sites which carry malware and dangerous contents. With encrypted DNS, the analysis of DNS traffic theoretically becomes more difficult.

However, given its unencrypted transmission, the DoH service allows users to easily bypass browsing filters, making browsing more vulnerable. This occurs when such filters do not provide protection over DoH, which FlashStart, on the other hand, does.

The DoH protocol, therefore, requires network administrators to rethink the internet security of managed networks and review filtering policies in web access for users. For these reasons, the DoH protocol can be a very important and strategic alert point for the security of data, infrastructure, and the users themselves.

Moreover, hackers have also evolved in this regard, developing attacks that specifically target DoH protocol-based queries, such as the attack in late July 2020 by the Iranian group Oilrig, which used the DoH protocol to handle, exfiltrate, and move data.


>> FlashStart’s CloudBox allows you to install internal DoH resolvers, avoiding the security problems associated with encrypted DNSs → Try it now


7. FlashStart tools: internet filter and CloudBOX

FlashStart offers complete internet security through its two core tools: the DNS internet filter and the CloudBOX.

7.1 FlashStart’s internet filter

FlashStart’s internet filter uses artificial intelligence algorithms to protect all users connected to the network, both those accessing it through the corporate or home router and those connected remotely, whose protection is ensured by the ClientShield application.

FlashStart protection is totally cloud-based and, therefore, does not require updates from users. The tool automatically blocks access to malicious contents, such as malware, phishing attempts, and spyware. The network administrator can then decide whether to also block inappropriate contents -such as pornography, violent contents, and drug-related contents – and distracting contents, which include social networks, audio and video streaming platforms, and online shopping sites.

More information about the FlashStart content filter is available by clicking here.
FlashStart CloudBOX
In order to guarantee security and speed, FlashStart also offers an exclusive application: the FlashStart CloudBOX, a cache that acts as an intermediary between users and the FlashStart Cloud and is available both as physical hardware and at the virtual level.

The CloudBOX stores both the DNS requests made by users and the responses obtained from the internet filter, hence both the permissions given and denied by the cloud. This enables it to further optimize resolution times for repeated requests, regardless of the already very low latency provided by the FlashStart internet filter whose Anycast network is among the fastest in the world according to www.dnsperf.com.

In addition, FlashStart’s CloudBox allows you to install internal DoH resolvers, avoiding the security issues associated with encrypted DNSs and guaranteeing secure browsing.


You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.

Reading time 3 min
Share this post:  
For information
click here
For a free trial
click here
For prices
click here
Follow us on
Linkedin | YouTube