DNS Encryption explained - DNS over TLS (DoT) & DNS over HTTPS (DoH)

You are addressing HALF of the problem : the "question" (request). What about the "reply" ? What is the packet configuration of the reply ? Does it contain your IP address (in clear) and the IP address of the encrypted url (in clear) ? If so, then... you aren't "protected" since your ISP can reverse lookup the DNS contained in the "reply" packet ! No ?

How does the performance impact look here? DNS under 512 bytes is a UDP query, super fast. Most machines cache the results locally, but resolvers usually don't cache. They may have to take more burden of responding to users queries by encrypting, decrypting, additional payload etc.,
Also I'm not sure if bind daemon supports these protocols as it's widely used.

From India.. thanks 👍

so helpful, much thanks

very good. demoing with wireshark was very useful. thank you and please keep making videos like this.

Very good video but the background music is annoying

Thanks for the knowledge. So these techniques still need to be supported by the hosters/sites to make it fully encrypted?
I am just wondering if its really better to send the dns query via cloud based providers instead of „trusting/rely“ on your ISP. Probably depends on the country and their laws

Still confused if I should use DoH or DoT. I wanna be secure but also want to hide from my ISP.

Thank you for your video. I have a question what do you think would be faster DoH or DoT?

Very helpful and makes learning easy. I watched it twice to digest all details well.

can't connect to internet with my mobile data but with wifi....my browser says dns is hijacked or polluted please please help me to fix this issue

Annoying music.

if you are using a VPN does it matter ?

Can zone transfers also be done the same?

Wouldn’t encrypting your queries with DOH or DOT also protect you from the dns provider itself?
I understand that Cloudfare, Nextguard, etc claim not to keep logs but can they initially see all of our traffic?

Doesn't my provider still know which domains I visit? It the provider has a DNS, the provider knows which IPs belong to which domain. So even if my provider does not see the DNS request, once I load a single package from the IP he will still know that I visited the website with that IP. If the DNS knows which IP belongs to which domain, the opposite should als be possible. So I do now really see how my privacy is protected unless I use a VPN.

PS: Be careful with Google's DNS servers! Google does not really provide that service for free. They will store all the domains you visited forever to send you even more targeted ads.

Nice

Würde ich das Problem lösen, wenn ich einen VPN in meinem Wlan-Netzwerk etabliere und wenn nicht, warum nicht? Besten Dank! - Ich beantworte mal selbst, würde mich aber über Feedback freuen: das Problem entsteht "ausserhalb" meines Netzwerkes und die IP-Adresse wird über die Leitung "einsehbar" so kein TLS über DNS konfiguriert ist. Der VPN kann nur verhindern, dass jemand mein Wlan entert, davon wird das senden der IP ausserhalb des Netzwerkes aber nicht berührt, korrekt?

I like your accent as a non englsih native speaker

Thank you

Perfect Content and clear explanation! Kudos to you!
Please make more of this kinds of technical/conceptual videos related to security topics which are a great help for other IT/Network enthusiastic individuals such as myself!

So so you recommend IPS DNS or CloudFlare DNS over HTPPS? Great video btw

But doesn't this only hide the URL? Once the URL is resolved to an IP address, isn't that IP address then visible to your ISP, therefore they can still work out exactly what website you are accessing?

How do attackers use the DOH for malicious purposes? Will they use any tool to tunnel the DOH and then applies data exfiltration or they will exploit the server such as Cloudflare, Mozilla and then applies C2 commands.

An enable button on a web browser does not mean anything has been changed. I doubt firefox, a company dependent on google for its existence, can be trusted.

How these settings are turned on..?
(Using DNS over WARP)

Very interesting topic! New to your channel!

Thanks, that was a good discussion.

just post all ip addresses

really helphufl thanks ! :)

Very well explained. Thank you. 🙏🏽

I learnt something new thanks to you.

Wouldn't the purpose be defeated if a company's DNS doesn't support DoH or DoT?

Centralized or De-Centralized , that's the question too :) , thanks for the nice video

Awesome content, had been banging my head on such concepts. Request you to explain how to capture the data via Wireshark.

I want to see the configuration you did for stubby.yml file. Could you please share?

Question: Considering android 9 pie now incorporates DoT configuration, browsers like Bromite incorporating DoH and DNS providers like Quad9 providing free encrypted options for both... is it possible/beneficial to use both simultaneously...? On android mobile or tablet devices

So, which one is better to use? DoT or DoH?????

Yes pls more videos on this topic ✌

This channel is very helpful for DevOps.