 DNS over HTTPS is coming with our ISPs and governments like it or not This is a good read over at a naked security by Sophos and Reason we have a picture of Homer took me a second then I'm like don't Literally DOH DNS over HTTPS is referred to as DOH anyways Not for the Simpsons references. This is actually a really good article about the rise of DOH and What it means for security what it means for privacy? It's a big win for privacy It's a big lose for those that want to have visibility into the websites We go to and block them including the many ISPs and the UK's controversial porn block system Which many systems do rely on DNS now I've covered before DNS over TLS this is separate DNS over TLS means and this is a general common way you set it up In we're gonna refer to pfSense, but other systems who support it where you set up a secure Encrypted DNS to go from your firewall to whichever network you choose for your DNS You know cloud fair Google quad 9 all support it and then your local connections that your computer make not just the browser one But your computer itself it needs more than just the browser for DNS It contacts your local firewall and then all that traffic once it leaves your networks encrypted Making you invisible which is great Unless you're a government that wants to spy on people this goes a step further And this is actually a big problem for filtering sites and filtering systems used by many companies and a common question I get so I wanted to break down a little bit how that works and what's going to break with this and how to enable it in Firefox because it's available in Firefox right now It's just not turned on by default and there's not a lot of places that support it But good news is cloud flare does and by default Firefox comes with a cloud flare Reconfigured as a system you can set up so To do this test first I wanted to make a rule this rule is not enabled right now This is the block for the demo port 53 block on a special VM. I set up at 172 1669 dot 129 Here is watching all the port 53 traffic kind of bouncing around on that particular system. So Port 53 is the default port for DNS and Obviously, this is really simple. I'm just you could obviously move DNS to another port. I'm not getting into those technical details I'm just looking at the default ports and the default way the VM works. So if we go over here, we're gonna go ping apple.com Pinging Google.com, you know, we can see we're resolving addresses Apple apparently doesn't support replies right away We see some port 53 traffic over to the Firefox browser And let's uh, I don't know We'll pull up read it real quick So we pull up a couple things and we'll pull something while that's doing that Google my name YouTube comes up before that's interesting All up the about us page Not now. So, you know generating some traffic and we go over here Lots and lots of DNS queries just you can see it's completely filled with them So everything is working as expected and of course by default and most people are running things that default port 53 being DNS is Not encrypted ideally and the way it's set up in my network is we're using DNS over TLS Which means it contacts our firewall and it goes encrypted out, but that local traffic can be watched can be filtered And because it passes through DNS on my firewall, the popular tools like PF blocker allow for blocking of websites and ads or whatever You want to block with PF blocker, which is pretty cool But watch what happens when we block port 53 and turn this rule on apply All right, so now all the DNS requests have timed out on this VM no more DNS requests The block is active. They've all died. So all the sessions have died So we can't establish new DNS connections on this bigger computer. Let's see what happens in the VM now We try to ping something that's not cash. I got to come up with a new website name dead air Can't do anything. Well, let's try opening up a website in Firefox. I Don't want to open up any news crap Let's try to open really anything It's thinking let's try to go to Google now it may have Google cashed in there. So yeah, it has Google cashed But that means if we look up Lawrence Systems again, and let's go to a website. We haven't been to hold on Try to look up something completely different. So if we go to news We're resolving a new address Looking up news at Google comm Dead air go back over here No new established DNS connections. So Let's talk about how to turn on this DNS over HTTPS you go to network dot tr dot mode And this is just the about config so you open up the bout config You're going to get a warning you're going to go to network to our mode I'm going to modify it you set this to two Now we've changed the DNS inside of this now if you want to know where it's going the URI is Right here The default string is Mozilla dot cloudflare DNS dot DNS query This is sending all the connections over to this particular DNS the cloudflare DNS I don't know which other companies I don't have a list right now who supports it But this is the default that you don't have to make any modifications for the default that Mozilla is working for and you can see It timed out server not found and I can still not ping anything here, but now what happens Refresh the page. Hey, we're surfing the web again Oops, and I'll pull up that website that I can't ping but I know it works Wcrc.com is our regional chamber Look I can open it up although I can't do anything here So here's different websites browsing away, but I don't have any DNS access. How's that working? Perfectly fine here still no DNS queries. It's completely bypassing and doing everything over port 443 So if we look at port 443 on here All the connections are being established over here and nothing is being established on DNS So I am now my system is now blinded to this DNS Now this can create like I said a real big problem for companies that want to monitor DNS that want to monitor and filter Things be a denna DNS or create redirected URLs for browsers The good news is it adds a lot of privacy in this system The bad news is you have to rely on any type of sync holding you want to do of something in DNS ie ad blocking or blocking websites in general or even having visibility into websites at the end point and you'll have to do it as a Browser extension to get this to work. So I just wanted to show how to do this It's really easy to do it is to my knowledge not supported in Chrome yet with the exception of Chrome on mobile So Android phones have been using this for a while Which has caused problems because people try to block the bring your own device or block mobile devices and Chrome doesn't care about What DNS when it's on mobile it automatically uses its own encrypted DNS and bypasses anyways, this is Like I said, it can be problematic in terms of you know, if you're trying to do filtering It's a big win for privacy So they're gonna have to work on something else and obviously The other solution is going to be for a management or a business a use case would be to install certificates on the end points In order to get control over what websites are going or visibility and locking it down So it comes back to one of the things I've said many times Monitoring at the firewall is a progressively losing battle. It gets harder and harder You pretty much have to focus on doing it at the end point because once again This blinds the firewalls blinds the filtering systems because the only thing that can be seen across the system now is 443 connections which are all encrypted and without a certificate installed on that endpoint that matches a certificate on the firewall Which also sometimes causes further breakage of things and more problems, especially with the newer banking websites and standards It becomes Invisible again to you especially TLS 1.3 with a second Diffie helmet exchange that happens inside the encryption Basically a second layer of encryption that even breaks installing the certificate option. So the firewall once again becomes blind to it So like I said, just want to bring this up. It's going to be interesting to see how companies try to handle us especially Authoritarian governments because they are going to really not like this because they do so much DNS blocking But this is the way of the future and this is a big win for privacy So I want to show you how to do that. That's all you got to do enable is that little about config and like I said This is a beta feature in Firefox that is available use at your own risk, but pretty cool feature. I do like it All right, thanks. Thanks for watching if you liked this video Give it a thumbs up if you want to subscribe to this channel to see more content Hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post If you want to hire us for a project that you seen or discussed in this video head over to Lawrence systems calm Where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us Also, if you want to carry on the discussion further head over to forums at Lawrence systems calm where we can keep the conversation going And if you want to help the channel out in other ways we offer affiliate links below which offer discounts for you and a small cut For us that does help fund this channel And once again, thanks again for watching this video and see you next time