Secure DNS (DNS over HTTPS, DNS over TLS) settings

Introduction

This article will list all the settings required for clients to configure DNS over TLS (DoT) and DNS over HTTPS (DoH) to use campus' DNS servers.

It will also briefly explain the technology and when to use it.

Applicability

Anyone on campus or central VPN can use our DoT/DoH service.

Users at home and not connected to the VPN will not be able to connect using these settings.

Procedure

What is DNS over TLS?

DNS over TLS, or DoT, is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications. (TLS is also known as "SSL.") DoT adds TLS encryption on top of the user datagram protocol (UDP), which is used for DNS queries.

What is DNS over HTTPS?

DNS over HTTPS, or DoH, is an alternative to DoT. With DoH, DNS queries and responses are encrypted, but they are sent via the HTTP or HTTP/2 protocols instead of directly over UDP. Like DoT, DoH ensures that attackers can't forge or alter DNS traffic. DoH traffic looks like other HTTPS traffic – e.g. normal user-driven interactions with websites and web apps – from a network administrator's perspective.

Source: https://www.cloudflare.com/en-ca/learning/dns/dns-over-tls/

Settings for Campus DNS over TLS (DoT)

The procedure on how to setup DoT varies depending on your device's OS. This article will not detail how to configure them, it'll simply provide you with the required settings to do so.

Central DNS supports DNS over TLS on standard port 853 and is compliant with RFC7858

We support DNS over TLS (DoT) on 129.128.12.34 and 2620:101:c080:2::1234 on port 853. If your DoT client does not support IP addresses, the DoT endpoint can also be reached by hostname on securedns.ualberta.ca and dns-over-tls-ipv6.srv.ualberta.ca.

Settings for Campus DNS over HTTPS (DoH)

The procedure on how to setup DoH varies depending on your device's browser. This article will not detail how to configure them, it'll simply provide you with the required settings to do so.

We offer a DNS over HTTPS resolver at:

https://securedns.ualberta.ca/dns-query

Using any other DoH/DoT provider on campus is currently not supported as outlined by Article 19000109545. This includes Cloudflare (Firefox), Google (Chrome) and Apple (iCloud Private Relay)