Testing DNS over TLS (DoT) in Iran

/ Internet, Testing

The Internet's Domain Name System (DNS) is one of the strong forces that holds the Internet together.

There are many forces that wish to control or restrict the Internet. (See Internet: Quo Vadis (Where are you going?)) DNS has been found to be one of the more convenient places through which that control may be exercised.

The DNS Security system (DNSSEC) is useful in that it allows a client to know that the DNS data it receives is authentic. But DNSSEC can be somewhat difficult to deploy and many applications do not handle non-authentic DNS data well.

Absent DNSSEC DNS queries run the risk of man-in-the-middle attacks in which a masquerading DNS server misleads the client by providing misleading answers or by data-mining the client's queries.

Two recent proposals have been made to help reduce the risks of these man-in-the-middle DNS attacks.

These are DNS-over-HTTP (DoH) and DNS-over-TLS (DoT).

Both DoH and DoT use encrypted TCP connections to carry DNS queries and responses. DoH uses HTTPS (HTTP over TCP with TLS) while DoT uses TCP with TLS (i.e. no HTTP/S).

DoH is being built into browsers such as Firefox and Chrome. However, there are strong, valid objections to DoH as compared to DoT. (See, for example DNS-over-HTTPS causes more problems than it solves, experts say)

We found the following article quite interesting. It is a test of blocking of DoT by Iran.

DNS over TLS blocked in Iran

It is a well done test and the article is quite revealing. The TL;DR is that it appears that various network providers in Iran are blocking DNS over TLS (DoT). The blocking is being done using several different methods.

The article does not mention whether they also tested for blocking of DNS over HTTP (DoH). It would be interesting to see whether that is a more difficult thing to do because of the need to differentiate between normal HTTPS web traffic and DoH traffic. (That issue does not exist when blocking DoT traffic because DoT uses its own well known TCP port number.)

Next Post Previous Post