Why You Need DNS over HTTPS or DNS over TLS to Protect Your Privacy?

Why You Need DNS over HTTPS or DNS over TLS to Protect Your Privacy?

Every time you visit a website, your device needs to translate the human-readable domain name (like “example.com”) into an IP address that computers can understand.

This translation process is called DNS (Domain Name System) lookup. By default, these DNS queries are sent in plain text, meaning anyone who can see your network traffic—including your Internet Service Provider (ISP)—can see exactly which websites you’re visiting.

How Close Are Quantum Computers to Breaking RSA-2048?

The Privacy Problem with Traditional DNS

When you use standard DNS, your ISP can see every domain name you request, effectively creating a complete log of your browsing activity.

This happens even if the websites themselves use HTTPS encryption. While HTTPS protects the content of your communication with websites, it doesn’t hide which websites you’re visiting from your ISP.

ISPs may collect this information for various reasons: targeted advertising, selling anonymized data to third parties, complying with government data retention laws, or network management. In some countries, ISPs are legally required to log and retain DNS queries for extended periods.

Understanding Zero-Day Vulnerabilities: How Hackers Exploit Windows Kernel Flaws

How DNS over HTTPS and DNS over TLS Solve This

DNS over HTTPS (DoH) and DNS over TLS (DoT) are protocols that encrypt your DNS queries, preventing ISPs and other network observers from seeing which websites you’re looking up. Here’s how they differ:

DNS over TLS (DoT) encrypts DNS queries using the TLS protocol on a dedicated port (853). It’s efficient and designed specifically for DNS encryption.

DNS over HTTPS (DoH) wraps DNS queries inside regular HTTPS traffic on port 443, making them indistinguishable from other web traffic. This makes it harder to block and provides additional privacy.

Both protocols ensure that only you and your chosen DNS provider can see your DNS queries, not your ISP or anyone else monitoring your network.

How Do I Know If My Router Has Been Hacked?

Setting Up DNS over HTTPS in Windows 11

Windows 11 has built-in support for DNS over HTTPS. Here’s how to enable it:

Open Settings by pressing Win + I or clicking the Start menu and selecting Settings
Navigate to Network & Internet from the left sidebar
Click on your active connection:
- For Wi-Fi, click Wi-Fi then Properties next to your network name
- For Ethernet, click Ethernet then the name of your connection
Scroll down to DNS server assignment and click Edit
Change from “Automatic (DHCP)” to Manual
Toggle on IPv4 (and IPv6 if you use it)
Enter a DNS provider that supports DNS over HTTPS:
- Cloudflare: Preferred DNS: 1.1.1.1, Alternate DNS: 1.0.0.1
- Google: Preferred DNS: 8.8.8.8, Alternate DNS: 8.8.4.4
- Quad9: Preferred DNS: 9.9.9.9, Alternate DNS: 149.112.112.112
For each DNS server, set DNS over HTTPS to On (automatic template) or On (manual template)
Click Save

Windows will now use encrypted DNS queries for all your internet traffic.

How Did Tesla and Major Companies Fall Victim to Cryptojacking?

Setting Up DNS over TLS in Linux

Linux offers several methods to implement encrypted DNS. The most common approach is using systemd-resolved, which is available on most modern distributions.

Using systemd-resolved (Ubuntu, Debian, Fedora, etc.)

Edit the resolved configuration file:
```
sudo nano /etc/systemd/resolved.conf
```
Add or modify these lines under the [Resolve] section:
```
[Resolve]
DNS=1.1.1.1 1.0.0.1
DNSOverTLS=yes
```
Save the file (Ctrl+O, Enter, Ctrl+X in nano)

Restart the systemd-resolved service:

sudo systemctl restart systemd-resolved

Verify the configuration:
```
resolvectl status
```
You should see your configured DNS servers and “DNS over TLS” showing as enabled.

Alternative: Using Stubby

For distributions without systemd-resolved or for more advanced configurations, you can use Stubby, a dedicated DNS privacy stub resolver.

Install Stubby:

# Ubuntu/Debian
sudo apt install stubby

# Fedora
sudo dnf install stubby

# Arch Linux
sudo pacman -S stubby

Edit the Stubby configuration:
```
sudo nano /etc/stubby/stubby.yml
```
Configure your preferred DNS servers (Cloudflare example is usually pre-configured, or add your preferred provider)

Enable and start Stubby:

sudo systemctl enable stubby
sudo systemctl start stubby

Configure your system to use Stubby by pointing your DNS to 127.0.0.1 in your network settings or by editing /etc/resolv.conf

Why Enterprises Must Implement Zero Trust Security?

Important Considerations

While DNS over HTTPS and DNS over TLS significantly improve your privacy, keep these points in mind:

Your DNS provider can still see your queries. Choose a privacy-respecting provider with a clear privacy policy. Cloudflare, for example, commits to not selling your data and purging logs within 24 hours.

Your ISP can still see IP addresses you connect to, though they won’t immediately know which domain names those IPs correspond to. For complete privacy, you’d need to use a VPN alongside encrypted DNS.

Website names may still leak through Server Name Indication (SNI) in the TLS handshake, though newer technologies like Encrypted Client Hello (ECH) are addressing this.

Despite these limitations, enabling DNS over HTTPS or DNS over TLS is a straightforward step that meaningfully improves your online privacy by preventing your ISP from easily logging and monitoring your web browsing habits. It’s a simple configuration change that everyone should consider implementing.

Why You Need DNS over HTTPS or DNS over TLS to Protect Your Privacy?