Know-How: DNS over HTTPS - Any plans to add this?

PP Werner

Staff member
Hi. We've been revisiting encrypted DNS options lately.

DNS-over-TLS seems simple enough. stunnel proxies on port 853 are rolling out to all VPN servers and should become available within the next days. The certificates are currently signed by our own private CA.

DoT is already supported by general resolver software like unbound and knot-resolver, so you can encrypt all your system's DNS request, not just those sent by the browser.

Support for opportunistic privacy (i.e. trying TLS on port 853 first with plain DNS on port 53 as fallback) to nameservers provided by DHCP or OpenVPN isn't great yet but I'd expect it to improve eventually.
Android Pie is apparently already implementing it.

Trackstop has beend amended to also intercept DoT-Requests and redirect them locally, if any filters are enabled.

Here's an example configuration snippet for unbound with static addresses and no certificate validation (yet):

ssl-upstream: yes   # use with unbound versions < 1.7, affects all upstream queries
        name: "."
        forward-first: no
        #forward-ssl-upstream: yes   # use with unbound versions >= 1.7

        # zurich2
        forward-addr: 2a01:4a0:3b::13@853

        # basel1
        forward-addr: 2a01:4a0:18::13@853

DNS-over-HTTPS is another beast as it allows multiple different message formats and involves more parsers and experimental code. I don't know yet whether or when we might offer DoH.

Now, is it at all useful to encrypt DNS requests from your computer to a resolver? Maybe.

In most use-cases, the only plain DNS requests not sent through the VPN tunnel are those for the VPN server name. They don't leak much information because you're going to open a connection to the resolved address, anyway.
Further request are then sent through the tunnel and from there to a DNS resolver. Even if those requests were encrypted, the resolver still sends plaintext queries to the authoritative servers.

Also, DNS is usually only a precursor to a connection. Wherever you connect to, the DNS request is probably easy to guess.
Worse still, HTTPS might leak the hostname through SNI (although there is some talk in the IETF to obfuscate SNI in future TLS versions).


New Member
I don't clearly figure out the differences between DoT and DoH. Wat is encrypted/not encrypted in each case??

But Ithink a problem with select DoH (or DoT) at the browser level is that the DNS request made by the browser completely bypass the host file.

DoT/DoH would make more sense in my opinion if implemented at the system level.

Concerning SNI, Firefox support SNI encryption

For those interested, there is an other kind of "DoT": DNS over Tor.