DNS over HTTPS is a protocol used to encrypt the data in the query used to perform remote Domain Name System (DNS) resolution. By using the HTTPS protocol to perform encryption between the device using the DoH client and the DoH-based DNS resolver, this method aims to prevent eavesdropping and manipulation of DNS data by man-in-the-middle attacks and other misuse of user confidential data
DNS over HTTPS was initially proposed by the Internet Engineering Task Force (IETF) in late 2018 following rising concerns over malicious attacks on networks and subscribers using the DNS. Previously, DNS queries had been made in plain text from an app to the recursive DNS server using DNS settings provided by an internet service provider or other network provider. With DoH, DNS queries are disguised as regular HTTPS traffic and sent to special DoH-capable DNS servers (called DoH resolvers). The query is resolved inside a DoH request, and the reply to the user is encrypted as well.
Following its introduction, some concerns have been raised about DNS over HTTPS. ISPs see a risk of being cut out of the resolution process by third-party DNS providers, which would make it more difficult to ensure quality of service and provide some value-added services such as parental controls and anti-malware. The use of a different DNS resolver might also introduce increased latency. Still, DNS over HTTPS does appear to address customer concerns about malware, intrusions, data theft, and privacy.
To allow operators to take advantage of the opportunities offered by DNS over HTTPS, A10 Networks has developed a DNS security solution using the A10 Networks Thunder® Convergent Firewall (CFW) that allows ISPs to provide DNS over HTTPS services without disrupting their existing DNS infrastructure or investments. The solution helps the carrier ensure the continuity of its existing value-added services and maintain control of service quality.
A10 Networks offers DNS over HTTPS (DoH) natively through its Thunder® CFW for those organizations, that want to offer this capability to their subscribers. As demonstrated by service provider production use, the solution can handle the scale and DNS security requirements that DoH will deliver.