DNS Encryption explained - DNS over TLS (DoT) & DNS over HTTPS (DoH)
Рет қаралды 46,809
Күн бұрынI'll explain what DNS encryption is about. How does it technically work, why should we all care about, and which role does it play in the IT industry?
DNS over TLS (RFC): tools.ietf.org/html/rfc7858
DNS over HTTPS (RFC): tools.ietf.org/html/rfc8484
Follow me:
TWITTER: / christianlempa
INSTAGRAM: / christianlempa
DISCORD: / discord
GITHUB: github.com/christianlempa
PATREON: / christianlempa
MY EQUIPMENT: kit.co/christianlempa
Timestamps:
00:00 - Introduction
01:14 What is DNS encryption and why do we need it?
02:48 How do DNS requests work?
04:21 DNS over TLS
07:06 DNS over HTTPS (DoH)
09:34 Concerns with DoH implementation
________________
All links with "*" are affiliate links.
@jojimerc7396 4 жыл бұрын
This channel is very helpful for DevOps.
@mohsen3448 2 жыл бұрын
Perfect Content and clear explanation! Kudos to you! Please make more of this kinds of technical/conceptual videos related to security topics which are a great help for other IT/Network enthusiastic individuals such as myself!
@christianlempa 2 жыл бұрын
Thank you! Of course, I'll do :)
@BENJA007GAMER 8 ай бұрын
consulta
@BENJA007GAMER 8 ай бұрын
@@christianlempa consulta cual de los dos es es mejor usar cual recomiendas usar solo dime uno dot o doh cual uso ya que uno de los dos es mejor y lleva la ventaja cual me recomiendas usar para ponerlo en todos mis dispositivos responder lo antes posible porfavor.
@punyagandhi6375 4 ай бұрын
is there a source to get the basic codes that i use as basis for my thesis?@@christianlempa
@AsifAAli 3 жыл бұрын
Very well explained. Thank you. 🙏🏽
@BernieD940 3 жыл бұрын
Thanks, that was a good discussion.
@christianlempa 3 жыл бұрын
thanks! :)
@HEWfunkingKNEWit 4 жыл бұрын
Yes pls more videos on this topic ✌
@mrd4233 3 жыл бұрын
Very interesting topic! New to your channel!
@christianlempa 3 жыл бұрын
Nice, thank you and welcome 🙂
@jyxue 10 ай бұрын
so helpful, much thanks
@goks7 3 жыл бұрын
Awesome content, had been banging my head on such concepts. Request you to explain how to capture the data via Wireshark.
@christianlempa 3 жыл бұрын
I did a video about "7 amazing network engineer tools" where wireshark was one of them, that could be interesting for you 😉. However, if more people are requesting I consider making a short series about it.
@goks7 3 жыл бұрын
@@christianlempa Great man, that would do for me i guess. Thanks for the heads up!
@GorkemYildirim 3 жыл бұрын
I learnt something new thanks to you.
@christianlempa 3 жыл бұрын
Glad to hear it!
@zeytee Жыл бұрын
Very helpful and makes learning easy. I watched it twice to digest all details well.
@VEKTOR_87 3 жыл бұрын
really helphufl thanks ! :)
@christianlempa 3 жыл бұрын
Glad it helped!
@payambakhshi1498 3 жыл бұрын
Centralized or De-Centralized , that's the question too :) , thanks for the nice video
@christianlempa 3 жыл бұрын
Interesting question ☺️ That's maybe a good topic for an upcoming video. Thank you!
@aeroxx Жыл бұрын
Thanks for the knowledge. So these techniques still need to be supported by the hosters/sites to make it fully encrypted? I am just wondering if its really better to send the dns query via cloud based providers instead of „trusting/rely“ on your ISP. Probably depends on the country and their laws
@GamesOfficialYouTube 2 жыл бұрын
So so you recommend IPS DNS or CloudFlare DNS over HTPPS? Great video btw
@markpelayo Жыл бұрын
Thank you for your video. I have a question what do you think would be faster DoH or DoT?
@sumankumarpoddar6892 9 ай бұрын
From India.. thanks 👍
@mario_vasquez_ Жыл бұрын
very good. demoing with wireshark was very useful. thank you and please keep making videos like this.
@nands4410 4 жыл бұрын
1:51 You mean they can see just SNI right as protocol will be SSL
@alimahaboob2287 3 жыл бұрын
I want to see the configuration you did for stubby.yml file. Could you please share?
@R1D9M8B4 2 жыл бұрын
Thank you
@christianlempa 2 жыл бұрын
You're welcome
@harshavmb 9 ай бұрын
How does the performance impact look here? DNS under 512 bytes is a UDP query, super fast. Most machines cache the results locally, but resolvers usually don't cache. They may have to take more burden of responding to users queries by encrypting, decrypting, additional payload etc., Also I'm not sure if bind daemon supports these protocols as it's widely used.
@manishalankala1622 2 жыл бұрын
Nice
@necroscorner 4 ай бұрын
Maybe video `bout DoQ?
@dilipdilipjohn 3 жыл бұрын
How these settings are turned on..? (Using DNS over WARP)
@beydoin Ай бұрын
Do you have a tutorial on how to set it up on named?
@Mohamed-sc6so 3 жыл бұрын
Greeting, hope help me. 1- i set my machine network(i donot do any change for router only change my machine) to use "1.0.0.2 & 1.1.1.2" as dns server, they belong to cloudfloar. 2- is that mean all my machine dns quire encrypted (dns over https)? 3- when i go to cloudfloar test page the results was i do not use dns over https. Also when activate the dns over https in Firefox the results was "we do not know if you use dns over https or not". 4- there's any steps i should do beside set machine network to use clodfloar dns server, to be sure i use dns over https? Thanks in advance
@b0ys0l09 2 жыл бұрын
Can zone transfers also be done the same?
@sidhucr7985 Жыл бұрын
can't connect to internet with my mobile data but with wifi....my browser says dns is hijacked or polluted please please help me to fix this issue
@neelupatel5498 2 жыл бұрын
How do attackers use the DOH for malicious purposes? Will they use any tool to tunnel the DOH and then applies data exfiltration or they will exploit the server such as Cloudflare, Mozilla and then applies C2 commands.
@christianlempa 2 жыл бұрын
I have no real data on this unfortunately, but I assume that doh queries could be easily used to bypass local security gateways.
@contenteater 2 жыл бұрын
Wouldn’t encrypting your queries with DOH or DOT also protect you from the dns provider itself? I understand that Cloudfare, Nextguard, etc claim not to keep logs but can they initially see all of our traffic?
@christianlempa 2 жыл бұрын
The DNS queries are encrypted from your PC to the DNS resolver, so they can see everything
@contenteater 2 жыл бұрын
@@christianlempa Sorry but how could they see it if it’s encrypted? 🤔
@lan.w.8001 2 жыл бұрын
@@contenteater At some point, they need to be unencrypted: someone must be able to answer the DNS query, or otherwise you won't get a response at all and URLs stop working. This unencryption happens at your DNS resolver. (A late response, I hope it's still useful)
@Reepix 3 жыл бұрын
Question: Considering android 9 pie now incorporates DoT configuration, browsers like Bromite incorporating DoH and DNS providers like Quad9 providing free encrypted options for both... is it possible/beneficial to use both simultaneously...? On android mobile or tablet devices
@Reepix 3 жыл бұрын
And thank you for the content! =)
@christianlempa 3 жыл бұрын
Thanks 😊. One of the problems when browsers or applications implement their own DNS resolving technique is that it's independent from the OS DNS resolving. That means your browser will use DoH queries to whatever it uses as a resolver, and other apps will use the DoT queries configured in android. So yes, it can work both and it doesn't interfere each other, but it could be that the browser will use different resolvers like it's configured in the OS. DNS resolvers like Quad9, cloud flare and Google usually support both methods, so that should work fine in this case 😉
@Reepix 3 жыл бұрын
I love that 30 hrs ago, that question i asked would've seemed like a totally foreign language to me, and already, so many puzzle pieces regarding internet security, privacy, anonymity and how networks function are all coming together and making sense. That's all thanks to youtubers like you. Thanks for getting back to me and thank you for helping me to understand, much appreciated
@christianlempa 3 жыл бұрын
@Reepix thank you so much for that kind feedback, I'm glad it helped you and keeps me motivated to do more content! Cheers 😁
@gugaucb 2 ай бұрын
How can I to config on bind9 fowarders?
@christiangoth4652 3 жыл бұрын
5:17 How can my ISP resolve my DNS-request if he can't inspect the DNS-data (since it is TLS-encrypted)?
@christianlempa 3 жыл бұрын
The ISP can't inspect the DNS requests when they're encrypted, only when you're not using DNS over TLS. Hope that helps :)
@contenteater 2 жыл бұрын
@@christianlempa I think Christian’s question was “how would my internet provider be able to process my searches if they are unable to view my searches” 🤔
@ssanas1 2 жыл бұрын
@@contenteater somewhere up stream in DNS servers the request would go unencrypted to resolve
@sshadyh Жыл бұрын
if you are using a VPN does it matter ?
@rainhartwenkler8408 2 жыл бұрын
@10:28 what ist this "unencrypted SNI" your are apparently still sending out using encrypted DNS?
@christianlempa 2 жыл бұрын
The SNI (Server Name Indication) is always transmitted unencrypted in any HTTPS request
@bethanybellwarts 2 жыл бұрын
But doesn't this only hide the URL? Once the URL is resolved to an IP address, isn't that IP address then visible to your ISP, therefore they can still work out exactly what website you are accessing?
@christianlempa 2 жыл бұрын
You could use the IPs to roughly identify targets, but many websites are using CDNs today which IPs are hosting a ton of websites.
@sidhucr7985 Жыл бұрын
can't connect to internet with my mobile data but with wifi....my browser says dns is hijacked or polluted please please help me to fix this issue
@alqods80 Жыл бұрын
Very good video but the background music is annoying
@benoit.gerin-lajoie 8 ай бұрын
You are addressing HALF of the problem : the "question" (request). What about the "reply" ? What is the packet configuration of the reply ? Does it contain your IP address (in clear) and the IP address of the encrypted url (in clear) ? If so, then... you aren't "protected" since your ISP can reverse lookup the DNS contained in the "reply" packet ! No ?
@benoit.gerin-lajoie 22 күн бұрын
@Helder-qx8oz That IS the question !
@angelsmalls7044 Жыл бұрын
Still confused if I should use DoH or DoT. I wanna be secure but also want to hide from my ISP.
@christianlempa Жыл бұрын
If you want to hide from your isp there is no way around vpn. DNS encryption alone is not going to help u
@skolarii 3 жыл бұрын
Wouldn't the purpose be defeated if a company's DNS doesn't support DoH or DoT?
@christianlempa 3 жыл бұрын
That's right. A lot companies actually disable DoH and DoT because it bypasses the companies DNS and firewalls which is a big problem. It is a challenge for companies, but I think we need to come up with a reliable solution that allows companies, firewall vendors to make use of DoH or DoT, aligned with the companies preferences and security needs. But that's something that is not established well at this stage and it's interesting to see what solution will become the new standard at some day. In networking those changes take usually a long time.
@levelup1279 2 жыл бұрын
Maybe companies need to embrace the fact that their no longer able to filter user traffic. I have a VPN enabled 24/7 & I know many other people do as well.
@shuangliu2204 2 жыл бұрын
I like your accent as a non englsih native speaker
@christianlempa 2 жыл бұрын
Thanks 😆
@kaalmansur 2 жыл бұрын
Würde ich das Problem lösen, wenn ich einen VPN in meinem Wlan-Netzwerk etabliere und wenn nicht, warum nicht? Besten Dank! - Ich beantworte mal selbst, würde mich aber über Feedback freuen: das Problem entsteht "ausserhalb" meines Netzwerkes und die IP-Adresse wird über die Leitung "einsehbar" so kein TLS über DNS konfiguriert ist. Der VPN kann nur verhindern, dass jemand mein Wlan entert, davon wird das senden der IP ausserhalb des Netzwerkes aber nicht berührt, korrekt?
@christianlempa 2 жыл бұрын
Hey, sorry ich bin etwas verwirrt :D Was genau möchtest du erreichen, bzw. welches Problem lösen?
@Punitkp94 3 жыл бұрын
So, which one is better to use? DoT or DoH?????
@christianlempa 3 жыл бұрын
Technically both are sufficient and generally you can use whatever works for you. But I think that DoH is a bit more widespread than DoT in terms of implementation by companies. However, this is still work in progress, there are also other alternatives like DoQ and we'll see what will become the new standard.
@Punitkp94 3 жыл бұрын
@@christianlempa thank you a lot
@AlienShowz 3 жыл бұрын
Mr.13 why is DoT better than DoH I need the most secure form of DNS and I do not want my ISP spying on me. I don’t mind going the extra step for security.
@skyscraperfan 2 жыл бұрын
Doesn't my provider still know which domains I visit? It the provider has a DNS, the provider knows which IPs belong to which domain. So even if my provider does not see the DNS request, once I load a single package from the IP he will still know that I visited the website with that IP. If the DNS knows which IP belongs to which domain, the opposite should als be possible. So I do now really see how my privacy is protected unless I use a VPN. PS: Be careful with Google's DNS servers! Google does not really provide that service for free. They will store all the domains you visited forever to send you even more targeted ads.
@christianlempa 2 жыл бұрын
Often the IP address does not directly relate to the actual web site you're browsing. Most companies and websites today use CDNs like Akamai or Cloudflare, so you can sometimes compare the address with the name, but not always. Also, you can still see the domain in the HTTP's requests, as it's included in the SNI (not the full path though). But that always works, no matter if you encrypt the DNS requests. So yeah, you're right, a VPN is the only way to really "hide" the traffic from your ISP.
@glowinthedark9082 3 жыл бұрын
just post all ip addresses
@erikeriksson1920 Жыл бұрын
Annoying music.
LS111 Cyber Security Education
Рет қаралды 14 М.
Practical Networking
Рет қаралды 1,8 МЛН
John Hubbard
Рет қаралды 6 М.