Blog - Future Feature - DNS Over HTTPs
This is the first in our Future Feature series where we look at features that are in development. In this blog post I will look at an exciting new feature to support DNS over HTTPs.
First what is DNS over HTTPs?
DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. .
- From Wikipedia
So how will Refract DNS help you secure your DNS requests?
The DoH feature in Refract DNS will allow you to redirect UDP and TCP DNS requests to DNS over HTTPs. When an application makes a UDP or TCP DNS request Refract DNS process this request and then contacts the upstream DNS server.
DNS requests from the applications on your computer are now secured and can't be seen by those who migth be sat in the middle.
Additionally if there is a problem with the HTTPs certificate Refract DNS will warn you and stop using the that upstream DNS server until a secure connection can be re-establish:
HTTPs or UDP?
It maybe not possible to serve all DNS requests over DoH. For example, maybe you are using Refract DNS within a corporate environment with an internal DNS server that does not support DoH. Therefore you need to server internal domain requests over UDP. Refract DNS supports this by allowing you to exclude domains from DoH:
When adding exclusion records you can makes use any combination of wildcard, regex and absolute domain configurations.
Internally Refract DNS will forward the request to the appropriate upsteam DNS server.
This allows you to use Refract DNS with both newer HTTPs DNS servers and legacy UDP/TCP servers.
Blacklisting and overrides still work with DoH allowing you to retain full control of how DNS entries are resolved.
The Refract DNS Log has been update to indicate which domains are being served over DoH making it easy for you to check your configuration:
This feature will be in the next release of Refract DNS (Version 1.5).
Mike - February 2019