Free Trial

DNS over HTTPS – Your Anti-Phishing Solution is About to Go Dark

By Colm 13th August 2019

With over 46,000 new sites created every day, phishing continues to rise as one of the greatest threats currently facing mobile devices. Our phones are quickly becoming our most important means of communication and entertainment, but as technology has become more advanced so too has the sophistication and frequency of phishing attacks. Taking advantage of the multiple platforms available, phishing campaigns can take many different forms on mobile, targeting users through email, SMS, social media and apps. With minimal effort and a convincing fake login page, hackers can easily fool users into revealing personal information including usernames, passwords and bank details. 

In response to this rising threat, many cybersecurity solutions have developed anti-phishing software for mobile. Generally very effective, one of the most common methods used by these solutions is a technique called ‘DNS sniffing’ which enables them to detect and block access to phishing sites to protect users from potential attacks. However, this method is about to break. Following the announcement that companies like Google and Mozilla will be introducing DNS over HTTPS, a new method of domain name requesting that encrypts all data, what does this mean for anti-phishing solutions?

What is DNS and DNS ‘sniffing’?

DNS (Domain Name System) is the internet’s system for converting alphabetic domain names into the numeric IP addresses that computers use to identify each other on a network. When a web address (URL) such as is typed into a browser DNS servers return the IP address, such as, and allow the user to retrieve the website associated with it. This makes it easier for users to browse the internet and find the information they are looking for, without the need to remember long series of numbers.

Typically, DNS requests are made using TCP protocols meaning that they are sent in plain text. This enables the process of DNS ‘sniffing’ which allows bodies such as internet service providers (ISPs), security solution providers, and governments to capture, analyze and monitor the requests sent and the sites visited by users. This is used to analyze network usage, troubleshoot issues, and ensure compliance with content restrictions. However, it has caused some concern over the safety and privacy of user data. Due to the nature of plain text data and the ease with which DNS requests can be sniffed, data gathered from tracking DNS traffic can easily be abused or become dangerous in the wrong hands. This has led to the introduction of DNS over HTTPS.

What is DNS over HTTPS?

DNS over HTTPS (DoH) works in much the same manner as regular DNS, however rather than using plain text the DNS query is sent to a DoH-compatible server via an encrypted HTTPS connection. This way, the DNS queries are hidden inside regular HTTPS traffic so third-party observers will be unable to sniff traffic and monitor what DNS queries users have run to infer what websites they are about to visit. DoH also works at app level as mobile apps can come with internally hardcoded lists of DoH compatible DNS resolvers where they can send queries. This allows app requests to bypass the default DNS settings that exist at OS level and avoid local ISPs’ traffic filters and content blocks. Due to this encryption and the reduction of restrictions, DoH has generally been hailed as beneficial for user privacy and security. Man-in-the-middle (MiTM) attacks often exploit the insecure nature of DNS via DNS Spoofing attacks, DNS Hijacking or DNS Poisoning which allow hackers to redirect webpage requests and return spoofed sites that appear to be legitimate. However, by putting DNS in a HTTPS encrypted channel, eavesdropping on DNS queries and MiTM attacks becomes much more difficult. 

However, not everyone is happy with the proposed changes. After it was announced that Google would be implementing changes to how its Chrome and Android browsers implement DNS requests to DoH and that Mozilla would be doing the same with Firefox, there was an outcry from many cyber security and internet service providers. The trade association for ISPs in the UK even nominated Mozilla for the award of ‘Internet Villain’ of the year following the announcement of their plans to support the DoH protocol in Firefox. In the UK ISPs are legally forced to block certain types of websites such as copyright infringement or trademarked content, while some may also choose to block other ‘inappropriate’ or ‘unsavory’ content such as extremist views, adult images or child pornography. They argue that implementing DoH will cause major complications for their ability to filter traffic for these government mandated ‘bad sites’. Internet security providers have also protested the changes as they say that encrypting traffic will prevent them from sniffing for potentially malicious and phishing websites. They argue that losing this ability will lead to reduced data security for customers, as attackers love to hide in encrypted traffic as seen in the recent Magecart attacks, and that it was a loss of visibility like this that played a part in last year’s major British Ariways and Marriott data breaches. 

Despite these protests however, it seems that implementation of DoH will be going ahead with two of the world’s biggest and most popular web browsers; Google Chrome and Mozilla Firefox. As well as this, in the most recent Android release (Android 9), Google extended DoH support to the world’s most popular mobile platform. Both companies maintain that although content filtering and implementing blocks may become a little more complicated and perhaps more expensive, it is worth supporting a tool that brings privacy improvements to millions at the expense of a few that may have to suffer. 

What does this mean for users and anti-phishing protection?

So what does this mean for users? Most anti-phishing solutions on the market currently rely on DNS sniffing in order to monitor user traffic and block access to suspicious or malicious sites. With the introduction of DoH and encryption, this method will no longer be possible meaning that many anti-phishing solutions will no longer be functional. If you have a security solution, ask your supplier about how they intend to address this issue and if you are looking into an anti-phishing solution, be sure to ask prospective vendors about encrypted DNS traffic and how this will affect their mobile phishing protection. 

Fortunately, Corrata has never relied solely on examining unencrypted DNS traffic to identify malicious activity.  From its first release Corrata Security and Control implemented comprehensive inspection of all IP traffic. Corrata’s SafePathML technology was designed specifically to provide the highest level of visibility and protection on mobile. Doing this required the Corrata engineering team to solve a wide range of technically challenging issues. This lead Corrata to create the first ever enterprise grade firewall for mobile. With a robust solution now available which future proofs our customers against changes such as DNS over HTTPS, it is clear that the investment is now paying off in terms of comprehensive protection for end users.


To find out more about how Corrata’s advanced mobile security can protect your mobile devices from phishing and other mobile threats , visit or email

For more industry news, insights and analysis – follow us on Twitter and LinkedIn!