Articles

The Men&Mice DNS encryption reference

A quick list of resources to help you refresh your knowledge about DoT, DoH, and other DNS privacy-related topics.

Aug 12th, 2020

The reality of a modern world calls for constant updates of the technology that runs through it. The reality of technology, however, rests on critical services such as DNS remaining dependable. These opposing forces pull network operators to continually explore and evaluate new approaches, like the demand for privacy.

Methods for encrypting DNS has been around for a while, but the debate still rages on, with the well-known implementations of DNS-over-TLS and DNS-over-HTTPS not only constantly challenged but joined by new approaches.

With the 2020 update for our highly popular encrypted DNS webinar, we thought we'd create a quick list of resources to not only help you refresh your knowledge about DoT, DoH, and others, but also re-visit later.

DNS encryption: the big picture

The original approach to DNS privacy was that "either privacy was not considered a requirement for DNS traffic or it was assumed that network traffic was sufficiently private." (IETF, RFC 8484) As networks like the internet grew beyond their creators' wildest imagination, that thinking was no longer sufficient.

Men&Mice CEO Magnus Bjornsson gave a presentation on DNS encryption principles and the comparative pros and cons of the two major implementations:

Magnus Bjornsson, Men&Mice CEO at UTmessan 2019

To further complicate the adoption of DNS encryption, the priorities and considerations can be vastly different in public networks like the internet and corporate networks that enable businesses to run:

DNS-over-TLS (DoT)

DoT uses a dedicated port (853) and the TLS (Transport Layer Security) protocol to encrypt DNS queries.

DNS-over-HTTPS (DoH)

DoH utilizes the user's browser and bundles DNS traffic together with regular encrypted web data using HTTPS (secure HTTP).

New advances in DNS encryption

While DoT and DoH remain the two major implementations of DNS encryption, developers of network standards from the IETF to private companies are continually looking for better (or different) ways to ensure privacy in DNS.

Two new approaches in the field are oblivious DoH (oDoH) and adaptive DNS resolver discovery. Renowned DNS educator Carsten Strotmann will cover these in detail during our upcoming webinar.

Oblivious DoH

The proposed oDoH approach achieves private DNS queries by proxying encrypted DNS queries. With oDoH, no single server is aware of both the client's identity and the content of the DNS query.

Adaptive DNS resolver discovery

Adaptive DNS resolver discovery is a method that allows the dynamical discovery of resolvers that support encrypted transports. It can be used to designate a resolver based on domain to respond to a subset of queries.

Join us for a free webinar!

For the past 30 years, Men&Mice has been developing tools to manage DNS (along with DHCP and IP addresses) services across platforms, vendors, and locations for large enterprise businesses. In addition, the Men&Mice training program has been an industry-leading education opportunity for over 20 years.

In a free webinar on August 19th, Men&Mice training instructor and DNS educator Carsten Strotmann will teach the ins and outs of DNS encryption, including the latest developments in oDoH and adaptive DNS resolver discovery.

Register to attend fast, as this webinar is shaping up to be one of our most popular.