Even though you may think your web browsing is safe from prying eyes, there’s one actor who by default can see every site you go to. That’s where DNS over HTTPS comes in.
In a previous post, I talked about what SSL is, and why you need it. But even normal SSL can’t protect you from your Internet Service Provider (ISP).
While SSL encrypts and protects your web traffic between say, you and your bank, it doesn’t prevent your ISP from seeing that you visited your bank’s website.
Every website on the internet has an address, called an “ip address”. there are two standards for ip addresses:
ip v4, introduced in the early 80s consists of a 32-bit address (012.34.567.8), which has 4,294,967,296 possible combinations. In today’s internet, that’s not enough.
ip v6, which became a standard in 2017, uses 128-bit addresses (0123:4567:89ab:cdef:0123:4567:89ab:cdef). That’s 340,282,366,920,938,463,463,374,607,431,768,211,456 possible combinations.
But we as users don’t pay attention to those addresses. Instead, we use an easier to recognize address, called a “URL” (Uniform Resource Locator) like “amazon.com”.
That’s where the Domain Name Server (DNS) comes in. Basically, DNS is a huge internet phonebook (kids, ask your grandparents) that associates the URL to the ip address.
The DNS process
When you type in (or click a link) for Amazon, your browser sends that request to the nearest DNS. It resolves the URL to the ip address, and routes your request to Amazon’s web server. That’s where SSL comes in. Your browser and their server negotiates a secure key to enable an encrypted signal.
But first the request goes through your ISP, and since encryption hasn’t been negotiated yet, the request is basically wide open for anyone to see. This also goes for anyone snooping on you in a public Wi-Fi space, like a coffee shop).
DNS over HTTPS seeks to change that, but you might have to enable it first.
DNS over HTTPS
With DNS over HTTPS enabled, Domain Name Servers negotiate a secure key to encrypt your DNS request. This keeps your ISP, or any other snooper from seeing what website(s) you’re visiting.
So the signal goes unencrypted from you to the DNS, there it is encrypted and sent on its way. All your ISP sees is that you sent a request to a DNS.
Only Firefox enables DNS over HTTPS by default, Chrome, Edge, Brave, and Safari have to be enabled. This post from Cloudflair (a DNS) explains how
If you’re on Android, You can enable DNS over HTTPS by going to Settings/Network & Internet/ Private DNS and set it to “automatic”.
For you folks on iPhones, it’s a little harder. This post, again from Cloudflair explains how to implement it.
Sad to say, but privacy and security is in your hands. Don’t depend on your ISP to protect your privacy.