DNS over HTTPS, DNS over TLS explained: Encrypting DNS traffic

DoT and DoH provide data confidentiality with end-to-end encryption for DNS traffic, but each has trade-offs.

padlock / Domain Name System / DNS / ICANN / security
Alpesh Ambalal Patel / Getty Images

Being the backbone of the internet, the Domain Name System (DNS) protocol has undergone a series of improvements and enhancements over the past few years. The lack of stringent protections in the original DNS specification and discovery of security weaknesses over time, such as the decade-old Kaminsky bug, gave birth to the Domain Name System Security Extensions (DNSSEC) in 2010.

DNSSEC was created to build cryptographic protections through digital signatures so that the DNS clients around the world could authoritatively verify that a DNS response was coming from an authoritative DNS server and that the response wasn’t altered in transit. 

Well then, some of you may wonder if DNSSEC can adequately provide security, what is the need for DNS over HTTPS and DNS over TLS?

DNSSEC only ensures the authenticity of the DNS responses and data integrity but does not ensure privacy. Protocols like DNS over HTTPS (DoH) or DNS over TLS (DoT) provide end-to-end encryption, therefore guaranteeing data confidentiality. In other words, your DNS traffic now benefits from the same end-to-end encryption as your web traffic to and from HTTPS sites.

What is DNS over HTTPS?

To continue reading this article register now

Make your voice heard. Share your experience in CSO's Security Priorities Study.