Rfc 8484 Page

RFC 8484



RFC 8484 defines the DNS over HTTPS (DoH) protocol, which allows DNS queries and responses to be sent and received using HTTPS. Published in October 2018, RFC 8484 aims to enhance the privacy and security of DNS transactions by encrypting them, preventing unauthorized parties from intercepting or tampering with DNS traffic. By transmitting DNS queries over HTTPS, DoH ensures that these queries are encrypted in the same way as regular web traffic, making them less vulnerable to eavesdropping and manipulation.

Before the introduction of DoH, traditional DNS queries were sent in plaintext, which made them visible to network intermediaries such as ISPs or malicious actors. This lack of privacy allowed third parties to monitor users’ browsing activity by observing the DNS queries they made. RFC 8484 addresses this issue by using HTTPS as the transport protocol for DNS queries, ensuring that DNS traffic is encrypted and protected from prying eyes. This significantly improves user privacy, particularly in environments where network traffic is subject to surveillance or censorship.

One of the key advantages of DoH as described in RFC 8484 is its ability to run DNS queries over port 443, the same port used by HTTPS traffic. This means that DoH queries are indistinguishable from other encrypted web traffic, making it more difficult for network administrators or attackers to block or filter DNS queries based on their content. This characteristic is especially useful in regions where internet access is restricted, or where certain websites are blocked using DNS censorship techniques.

RFC 8484 outlines how DoH encapsulates DNS queries and responses within standard HTTPS requests and responses. When a DoH client sends a query, it issues an HTTP request to a DoH-enabled DNS resolver. The DNS query is sent in the body of the HTTP request, and the DNS resolver processes the query and returns the result in the body of the HTTP response. This process allows DNS queries to take advantage of the security features of HTTPS, such as encryption and authentication, while also benefiting from the widespread use of HTTP/2 and HTTP/3 for optimized performance.

The protocol defined in RFC 8484 is particularly beneficial for protecting DNS queries on untrusted networks, such as public Wi-Fi. Public networks are often vulnerable to attacks like DNS spoofing or man-in-the-middle attacks, where an attacker intercepts and modifies DNS responses to redirect users to malicious websites. By encrypting DNS queries and responses, DoH prevents such attacks, ensuring that users receive authentic DNS responses and are not misled by malicious actors.

Despite the significant privacy improvements offered by DoH, there are concerns about its impact on traditional network security and monitoring systems. Many organizations use DNS filtering or DNS-based security tools to block access to harmful or inappropriate content. With DoH, these filtering mechanisms may be bypassed because the DNS queries are encrypted and cannot be easily inspected by network administrators. This has led to debates about how DoH should be deployed in environments that rely on DNS for security policies.

RFC 8484 also addresses concerns about DoH resolver centralization. Public DoH resolvers provided by large companies, such as Cloudflare and Google, could potentially see a significant portion of global DNS traffic. This centralization raises privacy concerns, as it concentrates DNS query data within a few major providers. While DoH improves privacy at the network level, users must trust the DoH resolver to handle their queries responsibly. To mitigate this, RFC 8484 encourages the development of a diverse ecosystem of DoH resolvers, including private and local resolvers.

In terms of performance, DoH can introduce some overhead compared to traditional DNS queries because it requires establishing a TLS connection, and queries are encapsulated within HTTP requests. However, RFC 8484 allows for performance optimizations, such as the reuse of HTTPS connections for multiple DNS queries. By keeping connections open and using multiplexing provided by HTTP/2 and HTTP/3, DoH can minimize the impact of encryption on query latency, ensuring performance comparable to traditional DNS.

One of the features of RFC 8484 is its flexibility in implementation. It does not mandate a specific encoding for DNS queries, allowing implementations to choose how they represent queries within the HTTP request body. The most common encoding is DNS wire format, but other formats could also be used depending on the application. This flexibility allows DoH to be integrated into various applications and systems, providing a range of use cases for different network environments.

The adoption of DoH has grown rapidly since the publication of RFC 8484, with major web browsers, such as Mozilla Firefox and Google Chrome, implementing DoH support by default. This integration has made it easy for users to enable encrypted DNS queries directly from their browser settings, improving privacy without requiring extensive technical knowledge. Additionally, several operating systems, including Windows and macOS, have introduced native support for DoH, allowing users to configure system-wide DoH settings.

Conclusion



RFC 8484 introduces DNS over HTTPS (DoH), a protocol designed to enhance the privacy and security of DNS queries by encrypting them within HTTPS traffic. By running DNS over port 443 and leveraging the encryption and authentication features of HTTPS, DoH prevents third parties from intercepting or tampering with DNS queries. Despite concerns about its impact on network monitoring and potential centralization, the adoption of DoH continues to grow, driven by the need for better privacy protection in an increasingly surveillance-prone internet environment.