3

I don't mean a technical breakdown of how the technology works but what does it do for me, the end user. For instance, does it prevent my ISP or network admin from seeing/logging the sites I connect to similar to how HTTPS prevents them from seeing passwords I enter? Does it allow the bypassing of firewalls similar to that of a VPN? It what ways does it differ from a VPN? (I've heard a lot of comparisons between DoH and VPNs, can't say I understand most of it though) Any assistance in clearing up this confusion would be much appreciated.

Frank
  • 41
  • 1
  • 1
    It stops your ISP seeing your DNS queries. Regarding VPNs, these are used for a variety of things. Sometimes for remote corporate users to connect behind the firewall. Sometimes for privacy. Using NordVPN or similar for privacy hides your traffic from your ISP and your IP address from websites you visit. If you've heard people compare DoH with VPNs will be for the latter use. – paj28 Feb 28 '20 at 04:25
  • It also prevents man-in-the-middle attacks. If DNS queries and responses are sent in the clear, then a dedicated attacker could intercept your DNS queries and return their own responses. This can be a significant threat- for example if you type in "mybank.com" in your address bar and you're silently redirected to a phishing site that looks identical but returns a "sorry, site down for maintenance" message when you try to login. – David Feb 28 '20 at 05:44

1 Answers1

4

... does it prevent my ISP or network admin from seeing/logging the sites I connect to similar to how HTTPS prevents them from seeing passwords I enter?

DNS over HTTPS will prevent your ISP/admin to sniff and modify DNS requests and only DNS requests. They will still be able to get information on which sites you visit from inspecting other traffic you produce, i.e. from HTTP headers in HTTP requests, from the domain information in the TLS handshake in HTTPS, by checking which IP address you connect to etc.

... Does it allow the bypassing of firewalls similar to that of a VPN?

It allows to bypass DNS based blocking which is often to block sites at the ISP level since it is the easiest and cheapest thing to do for the ISP. But other inspection and blocking methods continue to exist, but these are more costly to implement.

... It what ways does it differ from a VPN?

A VPN encrypts everything, DoH only the DNS traffic (see first item in this answer). A VPN thus offers more protection against sniffing or modification by the ISP.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I'd be a bit more loose with the term "A VPN offers more protection", because now instead of the ISP being able to see everything, the VPN is able to see everything. Is a VPN company inherently more trustworthy than an ISP? You can't tell. –  Feb 28 '20 at 10:49
  • @MechMK1: I've updated the response to make it more clear about protection against what I was talking about. – Steffen Ullrich Feb 28 '20 at 11:54