Perfect Content and clear explanation! Kudos to you! Please make more of this kinds of technical/conceptual videos related to security topics which are a great help for other IT/Network enthusiastic individuals such as myself!
@@christianlempa consulta cual de los dos es es mejor usar cual recomiendas usar solo dime uno dot o doh cual uso ya que uno de los dos es mejor y lleva la ventaja cual me recomiendas usar para ponerlo en todos mis dispositivos responder lo antes posible porfavor.
My main use case for DNS over TLS OR HTTPS is to prevent my ISP from using things like Transparent DNS proxies to reroute or tamper with my request. Something about them quietly rerouting my DNS request just feel violating you know.
@@christianlempa I think Christian’s question was “how would my internet provider be able to process my searches if they are unable to view my searches” 🤔
You are addressing HALF of the problem : the "question" (request). What about the "reply" ? What is the packet configuration of the reply ? Does it contain your IP address (in clear) and the IP address of the encrypted url (in clear) ? If so, then... you aren't "protected" since your ISP can reverse lookup the DNS contained in the "reply" packet ! No ?
@@benoit.gerin-lajoie it's encrypted both ways as seen in this very video. The response he showed in wireshark was also encrypted with TLS. But don't think this hides the sites you visit from your ISP. Your device is then connecting to the site and your ISP is the one that routes it.
10:00 Is that really true? You can't do DNS filtering with DoH?? In firefox/mullvad you can enable DoH with a custom DNS provider, which may have ad-blocking capabilities. Isn't this just filtering the dns requests?
The problem is when you send DoH traffic to a DNS provider and the firewall in between doesn't handle the requests. You can, of course, send the traffic to the firewall, but the problem is most browsers have default settings to send DNS requests to a DoH provider (regardless of the OS network settings).
Hello Christian, a question; I use Stubby dns on Linux mint, and when using Firefox or LibreWolf after logging in, they do not load, they do not open a first connection; I am forced to go to networks, disconnect and reconnect from the network, and NOW, suddenly they load and no longer fail during the session.... Could anyone tell me why? Thank you so much.
How does the performance impact look here? DNS under 512 bytes is a UDP query, super fast. Most machines cache the results locally, but resolvers usually don't cache. They may have to take more burden of responding to users queries by encrypting, decrypting, additional payload etc., Also I'm not sure if bind daemon supports these protocols as it's widely used.
Thanks for the knowledge. So these techniques still need to be supported by the hosters/sites to make it fully encrypted? I am just wondering if its really better to send the dns query via cloud based providers instead of „trusting/rely“ on your ISP. Probably depends on the country and their laws
I did a video about "7 amazing network engineer tools" where wireshark was one of them, that could be interesting for you 😉. However, if more people are requesting I consider making a short series about it.
Greeting, hope help me. 1- i set my machine network(i donot do any change for router only change my machine) to use "1.0.0.2 & 1.1.1.2" as dns server, they belong to cloudfloar. 2- is that mean all my machine dns quire encrypted (dns over https)? 3- when i go to cloudfloar test page the results was i do not use dns over https. Also when activate the dns over https in Firefox the results was "we do not know if you use dns over https or not". 4- there's any steps i should do beside set machine network to use clodfloar dns server, to be sure i use dns over https? Thanks in advance
Wouldn’t encrypting your queries with DOH or DOT also protect you from the dns provider itself? I understand that Cloudfare, Nextguard, etc claim not to keep logs but can they initially see all of our traffic?
@@contenteater At some point, they need to be unencrypted: someone must be able to answer the DNS query, or otherwise you won't get a response at all and URLs stop working. This unencryption happens at your DNS resolver. (A late response, I hope it's still useful)
That's right. A lot companies actually disable DoH and DoT because it bypasses the companies DNS and firewalls which is a big problem. It is a challenge for companies, but I think we need to come up with a reliable solution that allows companies, firewall vendors to make use of DoH or DoT, aligned with the companies preferences and security needs. But that's something that is not established well at this stage and it's interesting to see what solution will become the new standard at some day. In networking those changes take usually a long time.
Maybe companies need to embrace the fact that their no longer able to filter user traffic. I have a VPN enabled 24/7 & I know many other people do as well.
Question: Considering android 9 pie now incorporates DoT configuration, browsers like Bromite incorporating DoH and DNS providers like Quad9 providing free encrypted options for both... is it possible/beneficial to use both simultaneously...? On android mobile or tablet devices
Thanks 😊. One of the problems when browsers or applications implement their own DNS resolving technique is that it's independent from the OS DNS resolving. That means your browser will use DoH queries to whatever it uses as a resolver, and other apps will use the DoT queries configured in android. So yes, it can work both and it doesn't interfere each other, but it could be that the browser will use different resolvers like it's configured in the OS. DNS resolvers like Quad9, cloud flare and Google usually support both methods, so that should work fine in this case 😉
I love that 30 hrs ago, that question i asked would've seemed like a totally foreign language to me, and already, so many puzzle pieces regarding internet security, privacy, anonymity and how networks function are all coming together and making sense. That's all thanks to youtubers like you. Thanks for getting back to me and thank you for helping me to understand, much appreciated
How do attackers use the DOH for malicious purposes? Will they use any tool to tunnel the DOH and then applies data exfiltration or they will exploit the server such as Cloudflare, Mozilla and then applies C2 commands.
But doesn't this only hide the URL? Once the URL is resolved to an IP address, isn't that IP address then visible to your ISP, therefore they can still work out exactly what website you are accessing?
Würde ich das Problem lösen, wenn ich einen VPN in meinem Wlan-Netzwerk etabliere und wenn nicht, warum nicht? Besten Dank! - Ich beantworte mal selbst, würde mich aber über Feedback freuen: das Problem entsteht "ausserhalb" meines Netzwerkes und die IP-Adresse wird über die Leitung "einsehbar" so kein TLS über DNS konfiguriert ist. Der VPN kann nur verhindern, dass jemand mein Wlan entert, davon wird das senden der IP ausserhalb des Netzwerkes aber nicht berührt, korrekt?
Technically both are sufficient and generally you can use whatever works for you. But I think that DoH is a bit more widespread than DoT in terms of implementation by companies. However, this is still work in progress, there are also other alternatives like DoQ and we'll see what will become the new standard.
Mr.13 why is DoT better than DoH I need the most secure form of DNS and I do not want my ISP spying on me. I don’t mind going the extra step for security.
Doesn't my provider still know which domains I visit? It the provider has a DNS, the provider knows which IPs belong to which domain. So even if my provider does not see the DNS request, once I load a single package from the IP he will still know that I visited the website with that IP. If the DNS knows which IP belongs to which domain, the opposite should als be possible. So I do now really see how my privacy is protected unless I use a VPN. PS: Be careful with Google's DNS servers! Google does not really provide that service for free. They will store all the domains you visited forever to send you even more targeted ads.
Often the IP address does not directly relate to the actual web site you're browsing. Most companies and websites today use CDNs like Akamai or Cloudflare, so you can sometimes compare the address with the name, but not always. Also, you can still see the domain in the HTTP's requests, as it's included in the SNI (not the full path though). But that always works, no matter if you encrypt the DNS requests. So yeah, you're right, a VPN is the only way to really "hide" the traffic from your ISP.
This channel is very helpful for DevOps.
Perfect Content and clear explanation! Kudos to you!
Please make more of this kinds of technical/conceptual videos related to security topics which are a great help for other IT/Network enthusiastic individuals such as myself!
Thank you! Of course, I'll do :)
consulta
@@christianlempa consulta cual de los dos es es mejor usar cual recomiendas usar solo dime uno dot o doh cual uso ya que uno de los dos es mejor y lleva la ventaja cual me recomiendas usar para ponerlo en todos mis dispositivos
responder lo antes posible porfavor.
is there a source to get the basic codes that i use as basis for my thesis?@@christianlempa
My main use case for DNS over TLS OR HTTPS is to prevent my ISP from using things like Transparent DNS proxies to reroute or tamper with my request. Something about them quietly rerouting my DNS request just feel violating you know.
1:51 You mean they can see just SNI right as protocol will be SSL
6:20 im not getting a response from stubby, it stays stuck on "Starting DAEMON..." anyone got an idea why this might be happening to me?
5:17 How can my ISP resolve my DNS-request if he can't inspect the DNS-data (since it is TLS-encrypted)?
The ISP can't inspect the DNS requests when they're encrypted, only when you're not using DNS over TLS. Hope that helps :)
@@christianlempa I think Christian’s question was “how would my internet provider be able to process my searches if they are unable to view my searches” 🤔
@@contenteater somewhere up stream in DNS servers the request would go unencrypted to resolve
Thanks, that was a good discussion.
thanks! :)
Maybe video `bout DoQ?
You are addressing HALF of the problem : the "question" (request). What about the "reply" ? What is the packet configuration of the reply ? Does it contain your IP address (in clear) and the IP address of the encrypted url (in clear) ? If so, then... you aren't "protected" since your ISP can reverse lookup the DNS contained in the "reply" packet ! No ?
How we can apply a full solution?
@@H-qx8oz That IS the question !
@@benoit.gerin-lajoie it's encrypted both ways as seen in this very video. The response he showed in wireshark was also encrypted with TLS. But don't think this hides the sites you visit from your ISP. Your device is then connecting to the site and your ISP is the one that routes it.
From India.. thanks 👍
can't connect to internet with my mobile data but with wifi....my browser says dns is hijacked or polluted please please help me to fix this issue
Very well explained. Thank you. 🙏🏽
10:00 Is that really true? You can't do DNS filtering with DoH?? In firefox/mullvad you can enable DoH with a custom DNS provider, which may have ad-blocking capabilities. Isn't this just filtering the dns requests?
The problem is when you send DoH traffic to a DNS provider and the firewall in between doesn't handle the requests. You can, of course, send the traffic to the firewall, but the problem is most browsers have default settings to send DNS requests to a DoH provider (regardless of the OS network settings).
so helpful, much thanks
Hello Christian, a question; I use Stubby dns on Linux mint, and when using Firefox or LibreWolf after logging in, they do not load, they do not open a first connection; I am forced to go to networks, disconnect and reconnect from the network, and NOW, suddenly they load and no longer fail during the session.... Could anyone tell me why? Thank you so much.
How these settings are turned on..?
(Using DNS over WARP)
Do you have an updated video on this subject?
Not, yet. Somewhere next year I want to make a DoH video on bind9
How can I to config on bind9 fowarders?
Do you have a tutorial on how to set it up on named?
I want to see the configuration you did for stubby.yml file. Could you please share?
How does the performance impact look here? DNS under 512 bytes is a UDP query, super fast. Most machines cache the results locally, but resolvers usually don't cache. They may have to take more burden of responding to users queries by encrypting, decrypting, additional payload etc.,
Also I'm not sure if bind daemon supports these protocols as it's widely used.
Thanks for the knowledge. So these techniques still need to be supported by the hosters/sites to make it fully encrypted?
I am just wondering if its really better to send the dns query via cloud based providers instead of „trusting/rely“ on your ISP. Probably depends on the country and their laws
Yes pls more videos on this topic ✌
Centralized or De-Centralized , that's the question too :) , thanks for the nice video
Interesting question ☺️ That's maybe a good topic for an upcoming video. Thank you!
@10:28 what ist this "unencrypted SNI" your are apparently still sending out using encrypted DNS?
The SNI (Server Name Indication) is always transmitted unencrypted in any HTTPS request
couldn't you go after a newspaper website knowing their dns servers, ip addresses to the domain.
what do you mean by that?
Awesome content, had been banging my head on such concepts. Request you to explain how to capture the data via Wireshark.
I did a video about "7 amazing network engineer tools" where wireshark was one of them, that could be interesting for you 😉. However, if more people are requesting I consider making a short series about it.
@@christianlempa Great man, that would do for me i guess. Thanks for the heads up!
if you are using a VPN does it matter ?
So so you recommend IPS DNS or CloudFlare DNS over HTPPS? Great video btw
I learnt something new thanks to you.
Glad to hear it!
Still confused if I should use DoH or DoT. I wanna be secure but also want to hide from my ISP.
If you want to hide from your isp there is no way around vpn. DNS encryption alone is not going to help u
really helphufl thanks ! :)
Glad it helped!
Greeting, hope help me.
1- i set my machine network(i donot do any change for router only change my machine) to use "1.0.0.2 & 1.1.1.2" as dns server, they belong to cloudfloar.
2- is that mean all my machine dns quire encrypted (dns over https)?
3- when i go to cloudfloar test page the results was i do not use dns over https. Also when activate the dns over https in Firefox the results was "we do not know if you use dns over https or not".
4- there's any steps i should do beside set machine network to use clodfloar dns server, to be sure i use dns over https?
Thanks in advance
Wouldn’t encrypting your queries with DOH or DOT also protect you from the dns provider itself?
I understand that Cloudfare, Nextguard, etc claim not to keep logs but can they initially see all of our traffic?
The DNS queries are encrypted from your PC to the DNS resolver, so they can see everything
@@christianlempa Sorry but how could they see it if it’s encrypted? 🤔
@@contenteater At some point, they need to be unencrypted: someone must be able to answer the DNS query, or otherwise you won't get a response at all and URLs stop working. This unencryption happens at your DNS resolver. (A late response, I hope it's still useful)
Wouldn't the purpose be defeated if a company's DNS doesn't support DoH or DoT?
That's right. A lot companies actually disable DoH and DoT because it bypasses the companies DNS and firewalls which is a big problem. It is a challenge for companies, but I think we need to come up with a reliable solution that allows companies, firewall vendors to make use of DoH or DoT, aligned with the companies preferences and security needs.
But that's something that is not established well at this stage and it's interesting to see what solution will become the new standard at some day. In networking those changes take usually a long time.
Maybe companies need to embrace the fact that their no longer able to filter user traffic. I have a VPN enabled 24/7 & I know many other people do as well.
Very interesting topic! New to your channel!
Nice, thank you and welcome 🙂
Can zone transfers also be done the same?
Very helpful and makes learning easy. I watched it twice to digest all details well.
Question: Considering android 9 pie now incorporates DoT configuration, browsers like Bromite incorporating DoH and DNS providers like Quad9 providing free encrypted options for both... is it possible/beneficial to use both simultaneously...? On android mobile or tablet devices
And thank you for the content! =)
Thanks 😊. One of the problems when browsers or applications implement their own DNS resolving technique is that it's independent from the OS DNS resolving. That means your browser will use DoH queries to whatever it uses as a resolver, and other apps will use the DoT queries configured in android. So yes, it can work both and it doesn't interfere each other, but it could be that the browser will use different resolvers like it's configured in the OS. DNS resolvers like Quad9, cloud flare and Google usually support both methods, so that should work fine in this case 😉
I love that 30 hrs ago, that question i asked would've seemed like a totally foreign language to me, and already, so many puzzle pieces regarding internet security, privacy, anonymity and how networks function are all coming together and making sense.
That's all thanks to youtubers like you. Thanks for getting back to me and thank you for helping me to understand, much appreciated
@Reepix thank you so much for that kind feedback, I'm glad it helped you and keeps me motivated to do more content! Cheers 😁
How do attackers use the DOH for malicious purposes? Will they use any tool to tunnel the DOH and then applies data exfiltration or they will exploit the server such as Cloudflare, Mozilla and then applies C2 commands.
I have no real data on this unfortunately, but I assume that doh queries could be easily used to bypass local security gateways.
Thank you for your video. I have a question what do you think would be faster DoH or DoT?
But doesn't this only hide the URL? Once the URL is resolved to an IP address, isn't that IP address then visible to your ISP, therefore they can still work out exactly what website you are accessing?
You could use the IPs to roughly identify targets, but many websites are using CDNs today which IPs are hosting a ton of websites.
can't connect to internet with my mobile data but with wifi....my browser says dns is hijacked or polluted please please help me to fix this issue
Würde ich das Problem lösen, wenn ich einen VPN in meinem Wlan-Netzwerk etabliere und wenn nicht, warum nicht? Besten Dank! - Ich beantworte mal selbst, würde mich aber über Feedback freuen: das Problem entsteht "ausserhalb" meines Netzwerkes und die IP-Adresse wird über die Leitung "einsehbar" so kein TLS über DNS konfiguriert ist. Der VPN kann nur verhindern, dass jemand mein Wlan entert, davon wird das senden der IP ausserhalb des Netzwerkes aber nicht berührt, korrekt?
Hey, sorry ich bin etwas verwirrt :D Was genau möchtest du erreichen, bzw. welches Problem lösen?
Thank you
You're welcome
So, which one is better to use? DoT or DoH?????
Technically both are sufficient and generally you can use whatever works for you. But I think that DoH is a bit more widespread than DoT in terms of implementation by companies. However, this is still work in progress, there are also other alternatives like DoQ and we'll see what will become the new standard.
@@christianlempa thank you a lot
Mr.13 why is DoT better than DoH I need the most secure form of DNS and I do not want my ISP spying on me. I don’t mind going the extra step for security.
I like your accent as a non englsih native speaker
Thanks 😆
very good. demoing with wireshark was very useful. thank you and please keep making videos like this.
Doesn't my provider still know which domains I visit? It the provider has a DNS, the provider knows which IPs belong to which domain. So even if my provider does not see the DNS request, once I load a single package from the IP he will still know that I visited the website with that IP. If the DNS knows which IP belongs to which domain, the opposite should als be possible. So I do now really see how my privacy is protected unless I use a VPN.
PS: Be careful with Google's DNS servers! Google does not really provide that service for free. They will store all the domains you visited forever to send you even more targeted ads.
Often the IP address does not directly relate to the actual web site you're browsing. Most companies and websites today use CDNs like Akamai or Cloudflare, so you can sometimes compare the address with the name, but not always.
Also, you can still see the domain in the HTTP's requests, as it's included in the SNI (not the full path though). But that always works, no matter if you encrypt the DNS requests. So yeah, you're right, a VPN is the only way to really "hide" the traffic from your ISP.
Nice
just post all ip addresses
Very good video but the background music is annoying
Annoying music.