DNS Over HTTPS – DoH!

Alex Gelman|

DNS Over HTTPS – DoH!

Alex Gelman|
SAM DoH Solution

SAM is a security DoH enabled solution with different offerings to support the needs of ISPs. We prioritize users privacy whilst protecting against DNS attacks and still allowing security and content filtering for all connected devices including IoT’s, which browsers deploying DoH are currently restricting. 
Offerings:

  1. SAM’s gateway embedded agent, encrypts DNS traffic from the router to the internet using DoH, while devices use the router as a DNS server. This encrypts all the data sent to the internet, while allowing ISPs to still inspect the necessary data whilst enforcing the data encryption on every device.
  2. Using SAM’s DoH server which provides parental controls, anti-phishing and ad blocking without the need of SAM endpoint software. This can be installed alongside an ISP’s existing DNS or DoH server or hosted in the cloud.
  3. Allow users to adopt their given browser’s DoH settings with SAM inspecting non-DNS traffic (e.g. SNI) to still apply advanced securing settings to prevent cyber-security attacks.

 

Why ISPs are concerned with DoH
  • Compliance with data regulations related to criminal investigation and laws (UK as an example)
  • Troubleshooting – if a client has DNS issues or experiences increased latency but uses a DNS server not owned by the ISP – the ISP is left blind and they can’t help
  • Management – if every device, OS or application chooses the DNS server to use in a different way, it’s no longer easy to provide parental control or content filtering as a zero-configuration service operated by the ISP, as every device requires some endpoint-side solution that needs to be developed and installed on endpoints 
  • DNS is unencrypted and UDP-based, so the process of DNS resolution involves storage of less state data in the DNS server’s memory and requires less CPU operations, compared to the new and encrypted, TCP-based protocols; it’s harder and more expensive to scale a DoH server, especially due to the fact the DNS servers of ISPs need to be geographically close and cannot be in the cloud if the cloud provider doesn’t have a nearby datacenter
  • Increased load on the ISP’s uplink because DNS traffic is now routed to the internet instead of being handled within the ISP’s network, against the ISP’s DNS server
  • Centralization – normally, devices use the ISP’s DNS server, but if all devices start using the same DNS server, across different ISPs, the DNS provider has more data than anyone else
  • If the industry develops consensus around DoH and not DoT, the ISP can’t potentially drop encrypted DNS traffic to force applications that choose between DNS/DoH/DoT to fall back to DNS, because DoH looks just like HTTPS (same port, etc’) – the major browsers favor DoH
Skip to content