Quick Links

Companies like Microsoft, Google, and Mozilla are pushing forward with DNS over HTTPS (DoH). This technology will encrypt DNS lookups, improving online privacy and security. But it's controversial: Comcast is lobbying against it. Here's what you need to know.

What Is DNS Over HTTPS?

The web has been pushing towards encrypting everything by default. At this point, most of the websites you access are likely using HTTPS encryption. Modern web browsers like Chrome now mark any sites using standard HTTP as "not secure." HTTP/3, the new version of the HTTP protocol, has encryption baked in.

This encryption ensures that no one can tamper with a web page while you're viewing it or snoop on what you're doing online. For example, if you connect to Wikipedia.org, the network operator---whether that's a business's public Wi-Fi hotspot or your ISP---can only see that you're connected to wikipedia.org. They can't see which article you're reading, and they can't modify a Wikipedia article in transit.

But, in the push towards encryption, DNS has been left behind. The domain name system makes it possible to connect to websites through their domain names rather than by using numerical IP addresses. You type a domain name like google.com, and your system will contact its configured DNS server to get the IP address associated with google.com. It will then connect to that IP address.

Performing a DNS lookup with the nslookup command on Windows 10.

Until now, these DNS lookups haven't been encrypted. When you connect to a website, your system fires off a request saying you're looking for the IP address associated with that domain. Anyone in between---possibly your ISP, but perhaps also just a public Wi-Fi hotspot logging traffic---could log which domains you're connecting to.

DNS over HTTPS closes this oversight. When DNS over HTTPS, your system will make a secure, encrypted connection to your DNS server and transfer the request and response over that connection. Anyone in between won't be able to see which domain names you're looking up or tamper with the response.

Today, most people use the DNS servers provided by their internet service provider. However, there are many third-party DNS servers like Cloudflare's 1.1.1.1, Google Public DNS, and OpenDNS. These third-party providers are among the first to enable server-side support for DNS over HTTPS. To use DNS over HTTPS, you'll need both a DNS server and a client (like a web browser or operating system) that supports it.

Related: What Is DNS, and Should I Use Another DNS Server?

Who Will Support It?

Google and Mozilla are already testing DNS over HTTPS in Google Chrome and Mozilla Firefox. On November 17, 2019, Microsoft announced it would be adopting DNS over HTTPS in the Windows networking stack. This will ensure every application on Windows will get the benefits of DNS over HTTPS without being explicitly coded to support it.

Google says it will enable DoH by default for 1% of users starting in Chrome 79, expected for release on December 10, 2019. When that version is released, you'll also be able to go to

        chrome://flags/#dns-over-https
    

 to enable it.

Enabling secure DNS lookups via a Google Chrome flag.

Mozilla says it will enable DNS over HTTPS for everyone in 2019. In the current stable version of Firefox today, you can head to menu > Options > General, scroll down, and click "Settings" under Network Settings to find this option. Activate "Enable DNS over HTTPS."

Enabling DNS over HTTPS in Mozilla Firefox's network settings.

Apple hasn't yet commented on plans for DNS over HTTPS, but we expected the company to follow and implement support in iOS and macOS along with the rest of the industry.y

It's not enabled by default for everyone yet, but DNS over HTTPS should make using the internet more private and secure once it's finished.

Why Is Comcast Lobbying Against It?

This doesn't sound very controversial so far, but it is. Comcast has apparently been lobbying congress to stop Google from rolling out DNS over HTTPS.

In a presentation presented to lawmakers and obtained by Motherboard, Comcast argues that Google is pursuing "unilateral plans" ("along with Mozilla") to activate DoH and "[centralize] a majority of worldwide DNS data with Google," which would "mark a fundamental shift in the decentralized nature of the Internet's architecture."

Much of this is, quite frankly, false. Mozilla's Marshell Erwin told Motherboard that "the slides overall are extremely misleading and inaccurate." In a blog post, Chrome product manager Kenji Beaheux points out that Google Chrome will not be forcing anyone to change their DNS provider. Chrome will obey the system's current DNS provider---if it doesn't support DNS over HTTPS, Chrome won't use DNS over HTTPS.

And, in the time since, Microsoft has announced plans to support DoH at the Windows operating system level. With Microsoft, Google, and Mozilla embracing it, this is hardly a "unilateral" scheme from Google.

Some have theorized that Comcast doesn't like DoH because it can no longer collect DNS lookup data. However, Comcast has promised it isn't spying on your DNS lookups. The company insists it supports encrypted DNS but wants a "collaborative, industry-wide solution" rather than "unilateral action." Comcast's messaging is messy---its arguments against DNS over HTTPS were clearly meant for lawmakers' eyes, not the public's.

How Will DNS Over HTTPS Work?

With Comcast's strange objections aside, let's take a look at how DNS over HTTPS will actually work. When DoH support goes live in Chrome, Chrome will use DNS over HTTPS only if the system's current DNS server supports it.

In other words, if you have Comcast as an internet service provider and Comcast refuses to support DoH, Chrome will work as it does today without encrypting your DNS lookups. If you have another DNS server configured---perhaps you've chosen Cloudflare DNS, Google Public DNS, or OpenDNS, or maybe your ISP's DNS servers do support DoH---Chrome will use encryption to talk to your current DNS server, automatically "upgrading" the connection. Users might choose to switch away from DNS providers that don't offer DoH---like Comcast's---but Chrome won't automatically do this.

This also means that any content-filtering solutions that use DNS won't be interrupted. If you use OpenDNS and configure certain websites to be blocked, Chrome will leave OpenDNS as your default DNS server, and nothing will change.

Firefox works a bit differently. Mozilla has chosen to go with Cloudflare as Firefox's encrypted DNS provider in the US. Even if you have a different DNS server configured, Firefox will send your DNS requests to Cloudflare's 1.1.1.1 DNS server. Firefox will let you disable this or use a custom encrypted DNS provider, but Cloudflare will be the default.

Microsoft says DNS over HTTPS in Windows 10 will work similarly to Chrome. Windows 10 will obey your default DNS server and only enable DoH if your DNS server of choice supports it. However, Microsoft says it will guide "privacy-minded Windows users and administrators" to DNS server settings.

Windows 10 might encourage you to switch DNS servers to one that's secured with DoH, but Microsoft says Windows won't make the switch for you.