PowerPoint Presentation

[Audio] "Hello everyone. Today, I'll be presenting on DNS over TLS - a critical security protocol that's transforming how we protect our privacy on the internet. My name is Fatima Mazhar, roll number 23L-0752. Let's dive in.".

[Audio] "Before we discuss DNS over TLS, let's quickly understand what DNS actually is. DNS, or the Domain Name System, acts as the internet's phone book. Every time you type a website address like 'www.example.com' into your browser, DNS translates that human-readable domain name into a machine-readable IP address like 192.168.1.1. This happens billions of times every day across the globe, making DNS absolutely essential for internet functionality. Without it, we'd have to memorize complex numerical addresses for every website we visit.".

[Audio] "However, there's a serious problem with traditional DNS. Here's the critical issue: traditional DNS is completely unencrypted. Every DNS query you make is sent in plain text over port 53, making it visible to your Internet Service Provider, network administrators, and potentially malicious actors. This means anyone monitoring your network can see exactly which websites you're visiting. Traditional DNS is susceptible to eavesdropping, man-in-the-middle attacks, DNS hijacking, and cache poisoning. This isn't just theoretical - in 2018, researchers discovered that ISPs in multiple countries were actively intercepting and redirecting DNS queries for surveillance purposes and even injecting advertisements into users' browsing sessions. Your browsing history is essentially an open book.So, what's the solution? This is where DNS over TLS comes in.".

[Audio] "DNS over TLS, or DoT, is a security protocol that wraps your DNS queries in an encrypted TLS tunnel - the same encryption technology that protects your online banking and shopping. Let me highlight four key features: First, it uses TLS 1.2 or higher encryption, creating a secure channel for all DNS communication. Second, it operates on a dedicated port 853, separate from regular DNS traffic. Third, it provides server authentication through certificates, ensuring you're talking to a legitimate DNS server, not an imposter. And fourth, it guarantees data integrity, so you can be confident that the responses you receive haven't been tampered with during transmission. Think of it as putting your DNS queries in a sealed, encrypted envelope instead of sending them on a postcard that anyone can read.Let me walk you through exactly how this works step-by-step.".

[Audio] "The DoT process involves six critical steps, and it all happens in milliseconds: Step one: Your device initiates a TLS handshake with the DoT server on port 853, establishing a secure connection request. Step two: The server presents its TLS certificate for authentication - just like when you visit a secure website with HTTPS. Step three: Your device validates this certificate to ensure you're connecting to a legitimate DNS server, not a malicious one, and then establishes the encrypted connection. Step four: Your DNS query is encrypted and sent through this secure TLS tunnel - completely invisible to anyone monitoring your network. Step five: The server processes your query and sends back an encrypted response through the same secure channel. And finally, step six: Your device decrypts the response and receives the IP address it needs. The beauty of this is that after the initial handshake, the connection stays open for future queries, making subsequent lookups even faster. All of this encryption and security happens seamlessly in the background. Now that we understand how it works, let's examine why this matters".

[Audio] "DNS over TLS delivers four major benefits that make it essential for modern internet security: First, privacy protection: Your ISP, network operators, and anyone monitoring your traffic can no longer see which websites you're visiting through DNS queries. Your browsing patterns remain private. Second, security enhancement: DoT protects you against DNS spoofing, cache poisoning, and man-in-the-middle attacks that have plagued traditional DNS for decades. Attackers simply can't inject fake responses or redirect your traffic. Third, data integrity: You can be confident that the DNS responses you receive are authentic and haven't been modified during transmission. What the server sends is exactly what you receive. And fourth, authentication: Certificate validation ensures you're communicating with legitimate DNS servers, not malicious imposters trying to redirect your internet traffic. This comprehensive protection makes DoT a game-changer for internet security.".

[Audio] DNS over TLS isn't just a concept - it's being deployed at internet scale by major technology companies: Android 9's 'Private DNS' feature was the first major operating system to implement DoT system-wide. Today, this means over 2 billion Android devices worldwide support DoT natively. Users can enable it with just a few taps in their settings. Cloudflare's 1.1.1.1 service, launched in 2018, provides DoT support and now processes over 1 trillion DNS queries daily with strong privacy guarantees - they don't log your IP address and don't sell your data. Google Public DNS also supports DoT via dns.google and operates at an even larger scale, handling over 1.5 trillion queries per day globally. And Quad9 takes a security-first approach, not only encrypting queries with DoT but also actively blocking access to 5 to 8 million known malicious domains based on threat intelligence feeds. These aren't small experiments - these are production deployments serving billions of users every single day, proving that DoT is both practical and scalable. Of course, with all these benefits, DoT also provides critical protection against real-world attacks.

[Audio] First, DNS Spoofing and Cache Poisoning: Attackers can no longer inject fake DNS responses to redirect you to malicious websites because TLS encryption prevents any tampering with the data. The historic 2008 Kaminsky Bug affected millions of DNS servers worldwide and allowed attackers to poison DNS caches at will. Second, Man-in-the-Middle attacks: Certificate validation ensures you're connecting to the legitimate DNS server. In the real world, we see public WiFi hotspots that redirect DNS queries to inject advertisements into your browsing. DoT completely blocks this - when the certificate doesn't validate, your device rejects the connection. And third, DNS Hijacking: DoT prevents router malware from redirecting your DNS queries to malicious servers..

[Audio] "While DoT provides significant benefits, it's important to understand the challenges: Network visibility is a concern for some organizations. Corporate networks may struggle with content filtering and security monitoring when DoT bypasses their traditional DNS-based controls. IT departments need to adapt their security strategies. Adoption barriers exist because older systems and IoT devices may not support DoT, requiring network-level solutions or firmware updates to implement encryption. Trust centralization is another consideration. When you use DoT, you must trust your DNS provider - whether it's Cloudflare, Google, or Quad9 - with all your DNS queries. This potentially concentrates data with a few large providers. And finally, blocking concerns: DoT's dedicated port 853 makes it relatively easy for restrictive networks to block, unlike DoH which blends with normal web traffic. Some environments may deliberately prevent DoT usage. Despite these challenges, the security and privacy benefits far outweigh these limitations for most users.".

[Audio] Thank you for your attention. DNS over TLS is securing the internet, one query at a time. I'm happy to answer any questions you may have..