DNS over HTTPS (DoH) is a protocol that allows for DNS resolution to occur through an encrypted HTTPS connection. Unlike traditional DNS resolution, which employs unencrypted UDP or TCP connections, DoH provides a heightened level of privacy and security. Major web browsers and operating systems have widely adopted it. The growing popularity of DoH is due to browsers having enabled it by default for users in the United States (U.S.). Public DNS resolvers have also implemented support for DoH.
Although not all internet service providers (ISPs) currently support DoH, many are either starting to offer support for the protocol or planning to do so in the near future.
While it offers several benefits, DoH also introduces some challenges that ISPs must consider when deploying the protocol.
Challenges ISPs Face When Deploying DoH
DNS is a stateless protocol that involves small and simple queries and responses. Connectionless User Datagram Protocol (UDP) is well-suited for handling DNS because of its ability to process queries more quickly and efficiently without the need for establishing a connection between the client and server. As a result, it reduces overhead. Because of this, ISPs have developed their DNS infrastructure to primarily handle large volumes of DNS over UDP. A lesser volume of DNS over TCP is reserved for situations when it is more appropriate or necessary than DNS over UDP.
DoH introduces an extra layer of overhead to the DNS resolution process; this impacts the DNS infrastructure. Establishing a TCP connection, negotiating an SSL connection, performing encryption and decryption of data, and transmitting data in the format of an HTTP message are all required for DoH.
This implies that the processing resources needed to handle DoH queries are much higher than those required for DNS over UDP. As a result, ISPs that want to implement DoH must invest in upgrading their servers to natively support DoH and substantially increase the number of servers to handle the additional demand for HTTPS connections.
DoH Gateway as a Cost-Effective Solution
A DoH gateway provides a cost-effective means of deploying DoH because it allows ISPs to offer the service without having to upgrade or add DNS servers. This gateway serves as an intermediary between the client and the DNS server by converting encrypted DoH traffic into standard DNS over UDP traffic.
The DoH gateway must be capable of managing the establishment of TCP and SSL connections, decoding DNS queries from HTTP requests and forwarding them to the DNS server. Before being transmitted to the client, the server’s response must also be encrypted and wrapped in HTTP. For a DoH gateway capable of handling high levels of traffic required by ISPs, it is necessary to use a platform with significant CPU resources and hardware SSL acceleration.
Here’s the Solution You’re Looking For
With its DoH gateway feature, high-performance appliances and robust SSL processing hardware, Radware’s Alteon Application Delivery Controller can offer a fast and affordable solution for deploying DoH services.
Additionally, Alteon performs server load balancing for both DoH and regular UDP/TCP queries to ensure proper distribution among servers.
By integrating Alteon in their networks, ISPs can answer the growing need for the security and privacy of DNS traffic during transmission over the public internet, and with minimal investment. This can be achieved without making any changes to their current DNS infrastructure and without investing in upgrading servers to natively support DoH or additional servers to handle the DoH traffic.
For More Information
If you have questions about DoH or other security measures for ISPs, contact the Radware cyber security professionals here. They have been helping ISPs achieve optimal levels of security for them and their customers for almost twenty-five years. They would love to hear from you.