DNS über TLS im Vergleich zu DNS über HTTPS | Sicheres DNS

DNS-Abfragen werden im Klartext gesendet, was bedeutet, dass jeder sie lesen kann. DNS über HTTPS und DNS über TLS verschlüsseln DNS-Abfragen und -Antworten, damit Benutzer sicher und privat browsen können. Beide Methoden haben jedoch ihre Vor- und Nachteile.

Lernziele

Nach Lektüre dieses Artikels können Sie Folgendes:

  • Verstehen, warum DNS mehr Sicherheit benötigt und weshalb DNS-Privatsphäre wichtig ist
  • Verstehen, wie DNS über TLS und DNS über HTTPS funktionieren und wie sie sich unterscheiden
  • Die Vor- und Nachteile beider Methoden erklären
  • DNS über TLS/HTTPS mit DNSSEC vergleichen

Link zum Artikel kopieren

Warum braucht DNS zusätzliche Sicherheits-Layer?

DNS is the phonebook of the Internet; DNS resolvers translate human-readable domain names into machine-readable IP addresses. By default, DNS queries and responses are sent in plaintext (via UDP), which means they can be read by networks, ISPs, or anybody able to monitor transmissions. Even if a website uses HTTPS, the DNS query required to navigate to that website is exposed.

This lack of privacy has a huge impact on security and, in some cases, human rights; if DNS queries are not private, then it becomes easier for governments to censor the Internet and for attackers to stalk users' online behavior.

Attacker views unsecured DNS traffic

Think of a normal, unencrypted DNS query as being like a postcard sent through the mail: anyone handling the mail may happen to catch a glimpse of the text written on the back side, so it is not wise to mail a postcard that contains sensitive or private information.

DNS over TLS and DNS over HTTPS are two standards developed for encrypting plaintext DNS traffic in order to prevent malicious parties, advertisers, ISPs, and others from being able to interpret the data. Continuing the analogy, these standards aim to put an envelope around all postcards going through the mail, so that anyone can send a postcard without worrying that someone is snooping on what they are up to.

DNS queries secured over TLS or HTTPS, attacker blocked

Was ist DNS über TLS?

DNS over TLS, or DoT, is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications. (TLS is also known as "SSL.") DoT adds TLS encryption on top of the user datagram protocol (UDP), which is used for DNS queries. Additionally, it ensures that DNS requests and responses are not tampered with or forged via on-path attacks.

Was ist DNS über HTTPS?

DNS over HTTPS, or DoH, is an alternative to DoT. With DoH, DNS queries and responses are encrypted, but they are sent via the HTTP or HTTP/2 protocols instead of directly over UDP. Like DoT, DoH ensures that attackers can't forge or alter DNS traffic. DoH traffic looks like other HTTPS traffic – e.g. normal user-driven interactions with websites and web apps – from a network administrator's perspective.

In February 2020, the Mozilla Firefox browser began enabling DoH for U.S. users by default. DNS queries from the Firefox browser are encrypted by DoH and go to either Cloudflare or NextDNS. Several other browsers also support DoH, although it is not turned on by default.

Moment mal, verwendet HTTPS nicht auch TLS zur Verschlüsselung? Wie unterscheiden sich DNS über TLS und DNS über HTTPS?

Each standard was developed separately and has its own RFC* documentation, but the most important difference between DoT and DoH is what port they use. DoT only uses port 853, while DoH uses port 443, which is the port that all other HTTPS traffic uses as well.

Because DoT has a dedicated port, anyone with network visibility can see DoT traffic coming and going, even though the requests and responses themselves are encrypted. In contrast, with DoH, DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port.

*RFC stands for "Request for Comments", and an RFC is a collective attempt by developers, networking experts, and thought leaders to standardize an Internet technology or protocol.

Was ist ein Port?

Im Netzwerkbereich ist ein Port ein virtueller Ort an einem Rechner, der für Verbindungen von anderen Rechnern offen ist. Jeder vernetzte Computer verfügt über eine Standardanzahl von Ports, wobei jeder dieser Ports für bestimmte Kommunikationsarten reserviert ist.

Denken Sie an Anlegestellen für Schiffe in einem Hafen: Jede Anlegestelle ist nummeriert, und verschiedene Arten von Schiffen laufen bestimmte Anlegestellen an, um Fracht oder Passagiere abzuladen bzw. von Bord gehen zu lassen. Im Netzwerkbereich ist es genauso: Bestimmte Arten von Kommunikation gehen an bestimmte Netzwerk-Ports. Der Unterschied besteht darin, dass die Netzwerk-Ports virtuell sind. Sie sind Orte für digitale und nicht für physische Verbindungen.

Was ist besser: DoT oder DoH?

This is up for debate. From a network security standpoint, DoT is arguably better. It gives network administrators the ability to monitor and block DNS queries, which is important for identifying and stopping malicious traffic. DoH queries, meanwhile, are hidden in regular HTTPS traffic, meaning they cannot easily be blocked without blocking all other HTTPS traffic as well.

Aus der Sicht von Privatsphäre und Datenschutz ist aber wahrscheinlich DoH vorzuziehen. Bei DoH sind DNS-Abfragen im größeren Fluss des HTTPS-Traffics getarnt. Damit haben Netzwerkadministratoren weniger Einsicht, aber die Privatsphäre der Benutzer ist besser geschützt.

1.1.1.1, der kostenlose DNS-Resolver von Cloudflare, unterstützt sowohl DoT als auch DoH.

Was ist der Unterschied zwischen DNS über TLS/HTTPS und DNSSEC?

DNSSEC is a set of security extensions for verifying the identity of DNS root servers and authoritative nameservers in communications with DNS resolvers. It is designed to prevent DNS cache poisoning, among other attacks. It does not encrypt communications. DNS over TLS or HTTPS, on the other hand, does encrypt DNS queries. 1.1.1.1 supports DNSSEC as well.

Mehr über 1.1.1.1 erfahren Sie unter Was ist 1.1.1.1?