IT security at the University of Bern

DoT, DoH and DNSSEC: Secure DNS communication

The Domain Name System, DNS for short, forms the basis for the Internet. To further improve the system's security, DoT and DoH were added. In this article, you will learn about what DoT and DoH are, the benefits they might bring, and what you have to consider concerning the network of the University of Bern.

Essentials in a nutshell

The Domain Name System is a vital component of the Internet and allows Internet services and websites to use easy-to-remember domain names such as www.unibe.ch. To further increase the security of the system, DoT ("DNS over TLS") and DoH ("DNS over HTTPS") have been added, allowing to encrypt the DNS traffic.

With DNSSEC, the DNS server checks the authenticity and integrity of a DNS entry and only delivers secure DNS entries.

With DoT and DoH, the communication between the user's device and the DNS server is encrypted, making it impossible to intercept and modify DNS messages over the "last mile". A check for authenticity and integrity does not take place. 

Benefits of DoT, DoH and DNSSEC

Securing the Domain Name System (DNS) against hacker attacks is essential to make the Internet more secure. The addition of the Domain Name System Security Extension (DNSSEC) in 2005 was the first major step towards that goal.

DNSSEC allows you to detect whether DNS records have been modified during transmission. Therefore, it protects from attacks in which DNS queries are changed, and users are redirected to fake websites. It should be noted that the protection only works for DNS zones that have DNSSEC enabled. 

Since DNSSEC does not encrypt the DNS traffic, the information from DNS requests is viewable by network operators and Internet providers. In the worst case, this information can be used to create behavior profiles, which in turn can be sold for advertising purposes. DoT and DoH prevent this by encrypting the DNS traffic.

Therefore, DoT or DoH should be seen as an addition to DNSSEC and by no means as a replacement.

DoT, DoH, and DNSSEC at the University of Bern.

Currently, using DoT or DoH on a device within the network of the University of Bern will bypass the central DNS servers, and send DNS requests directly to DNS servers outside the University of Bern. Bypassing the central DNS servers, one will miss the additional protection against phishing sites and malware provided by the DNS firewall, as well as all the benefits of DNSSEC which is also enabled on the central DNS servers. Besides, using the central DNS servers enhance privacy as they forward DNS requests anonymously. 

Therefore, as long as the central DNS servers of the University of Bern do not yet support DoT or DoH, the IT Services Department recommends not to use these functions. 

If you need help configuring your computer to use the central DNS servers, you can find helpful instructions on the service portal.

Differences between DoT and DoH

As mentioned above, both methods encrypt the DNS traffic but use different protocols to do so. DoT uses TLS (Transport Layer Security) on TCP port 853, and DoH uses HTTPS on TCP port 443.

Since HTTPS is already an integral part of networks, using DoH is easier to implement as no or at least fewer new firewall rules are needed. However, using DoH, it is no longer possible to distinguish between website and DNS traffic within network data. This poses new challenges for firewalls, which offer security functions based on DNS queries. The use of DoT would alleviate this problem somewhat, but at the price of the additional effort of adjustments in the network.

Configuring the web browser

DoT and DoH

Currently, not all web browsers support secure communication for DNS using DoT or DoH. For those that do support the new protocols, the default settings can be retained for use on the University of Bern network.

The following is a list of how common browsers are set by default.

  • Google Chrome and browsers based on it (e.g., Brave, Microsoft Edge, Chromium, etc.): Secure communication for DNS is enabled by default and uses the local DNS servers. This automatically detects whether the DNS servers support secure communication or not. If it is not supported, as is currently the case with the DNS servers of the University of Bern, communication is unencrypted as before.
  • Firefox: Secure communication for DNS is disabled by default.
  • Safari: Secure communication for DNS is not yet supported.

DNSSEC

DNSSEC does not require any configuration on the end devices.