• BolexForSoup@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        8 months ago

        Hey there, I have been lately trying to better understand how privacy/my network work lately. I’m kind of right at that line where the next barrier gets pretty technical. I think I have a decent understanding of DoH, but I know it has quite click for me yet. How would you describe it? (I’m assuming that is an acronym for DNS over HTTP?)

        • ReversalHatchery@beehaw.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          8 months ago

          Yes, or more precisely it’s DNS over HTTPS.
          The S at the end stand for Secure, but technically it means that it is HTTP inside TLS. TLS encrypts the traffic, and verifies server responses to be authentic.
          HTTP and HTTPS are most often used by websites, but there are many more common uses of it.

          When a program - like firefox - uses DoH to resolve domain names (that is, find their corresponding IP address, they can have multiple), then instead of asking the DNS server that was configured in the operating system (often automatically set by your router’s “advisory”, though DHCP) through a clear text channel that is prone to inspection and manipulation, instead of that it asks a DNS server that communicates over HTTPS, just like webservers do.
          By doing this, domain name lookups have the protection of TLS, and they look like as if you have just visited a website. It’s harder* to find out which server was that request sent to, what was the purpose of that request, and since the content of the request is encrypted, and the response is encrypted and signed just as when visiting a website, it’s harder to see as an outside observer what was being done, including what website’s IP did you look up, and it’s harder for them to modify this response.

          DoH servers to be used may be set up with an IP address if that is fix and never changes, or through a domain name. If you only have the domain name of a DoH server, then you can’t contact that yet, first you have to look up it’s IP address using either an other DoH server who’s address is fix or the current one is known, or with a plain DNS server.

          • BolexForSoup@kbin.social
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            8 months ago

            This is really helpful thank you. Definitely somewhere between “I kind of get it” and “I understand some of these words,” but I think with a little term research and some pondering this will click better. Appreciate your taking the time to break it down!