Even if you are visiting a site using HTTPS, your DNS query is sent over an unencrypted connection. That means that even if you are browsing https://cloudtrust.solutions, anyone listening to packets on the network knows you are attempting to visit cloudtrust.solutions.
The second problem with unencrypted DNS is that it is easy for a Man-In-The-Middle to change DNS answers to route unsuspecting visitors to their phishing, malware or surveillance site. DNSSEC solves this problem as well by providing a mechanism to check the validity of a DNS answer, but only a single-digit percentage of domains use DNSSEC.
To prevent this problem, CloudTrust offers DNS resolution over an HTTPS endpoint. If you build a mobile application, browser, operating system, IoT device or router, you can choose for your users to use the DNS over HTTPS endpoint instead of sending DNS queries over plaintext for increased security and privacy of your users.
CloudTrust DoH works just like a normal DNS request, except that it uses Transmission Control Protocol (TCP) to transmit and receive queries. Both requests take a domain name that a user types into their browser and send a query to a DNS server to learn the numerical IP address of the web server hosting that site. The key difference is that CloudTrust DoH takes the DNS query and sends it to a DoH-compatible DNS server – resolver – via an encrypted HTTPS connection on port 443, rather than plaintext on port 53.
CloudTrust public DNS provides the following distinct DoH APIs at these endpoints:
-
https://dns.cloudtrust.solutions/dns-query – RFC 8484 (POST)
-
https://dns.cloudtrust.solutions/resolve? – JSON API (GET)
CloudTrust DoH DNS stamps encode all the parameters required to connect to a secure DNS server as a single string.
Protocol - DNS-over-HTTPS (DoH)
https://dns.cloudtrust.solutions/dns-query
Protocol - Oblivious DoH target
sdns://BQcAAAAAAAAAGGRucy5jbG91ZHRydXN0LnNvbHV0aW9ucwlkbnMtcXVlcnk
DNSSEC
No filter
No logs
Protocol - Oblivious DoH relay
sdns://hQcAAAAAAAAADzIwNy4xNTQuMjM4LjE1NAAYZG5zLmNsb3VkdHJ1c3Quc29sdXRpb25zCi9kbnMtcXVlcnk
No logs
Protocol - DNS-over-HTTPS (DoH)
IPv4 stamp
sdns://AgcAAAAAAAAADzIwNy4xNTQuMjM4LjE1NAAYZG5zLmNsb3VkdHJ1c3Quc29sdXRpb25zCi9kbnMtcXVlcnk
DNSSEC
No filter
No logs
IPv6 stamp
sdns://AgcAAAAAAAAAFFs2NDpmZjliOjpjZjlhOmVlOWFdABhkbnMuY2xvdWR0cnVzdC5zb2x1dGlvbnMKL2Rucy1xdWVyeQ
DNSSEC
No filter
No logs
CloudTrust public DNS does not support insecure http: URLs for API calls. No authentication is required to send requests to this API. CloudTrust's DNS over HTTPS resolver supports TLS 1.2 and TLS 1.3.
The POST method is only supported for the RFC 8484 API and uses a binary DNS message with Content-Type application/dns-message in the request body and in the DoH HTTP response.
GDPR and CloudTrust DoH
CloudTrust supports the GDPR and all CloudTrust services – including DNS over HTTPS service, is provided by Europe Region – comply with its provisions. Not only is the GDPR an important step in protecting the fundamental right of privacy for European citizens, it has raised the bar for data protection, security and compliance in the industry.
Using HTTPS DoH, not just TLS encryption, has some practical benefits
- Widely available and well-supported HTTPS APIs simplify implementation for both CloudTrust public DNS itself and potential clients.
- An HTTPS service provides web apps with access to all DNS record types, avoiding the limitations of existing browser and OS DNS APIs, which generally support only host-to-address lookups.
- Clients that implement QUIC UDP-based HTTPS support can avoid problems like head-of-line blocking that can occur when using TCP transport.
Use RFC 8484 POST only for privacy sensitive applications or browser modes. Using POST for DoH queries reduces the cacheability of responses and can increase DNS latency, so it is not generally recommended. However, reducing caching is probably desirable for privacy sensitive applications, and might protect against timing attacks from web apps trying to determine what domains the user has visited lately.
Protect your DNS traffic with DoH
Keep your DNS queries private by using DNS over HTTPS (DoH) in supporting web browsers. Your browser's DNS traffic becomes encrypted to remain private and unmodified.
Details and instructions are available from
Mozilla. This setting can be found in other browsers in the same way as in Google Chrome, Opera and Microsoft Edge.
Keep your DNS queries private by using DNS over HTTPS (DoH) in supporting OS, operating systems. Your OS's DNS traffic becomes encrypted to remain private and unmodified.
Microsoft lets you enable DNS over HTTPS (DoH) system-wide, for all Windows applications – DohWellKnownServers CloudTrust Template is: https://dns.cloudtrust.solutions/dns-query. Apple's iOS 14 and macOS 11 support both DoH and DoT protocols.
Application operations, DevOps
In the case where a Cloud service provider hosts a solution implemented in a micro-service architecture, for example, and this service needs to communicate with external service points not under its own control, we have to face the risk of misuse of a DNS redirect. No matter how thorough the design and implementation, even if we have created a logical and physical system design, the trust of the DNS databases is important. We need to be prepared for such cases and scenarios when designing the application and have a dedicated or trusted DNS resolution service in the live infrastructure, as well as use an HTTPS based DNS query mechanism in our application or for the operating systems/containers used.
Related network resources and solutions