Protect: secure DNS requests

Yandex Browser features the Protect integrated security system with DNS over HTTPS technology to protect users from interception and substitution of DNS requests and data manipulation.

Note. By default, DoH encryption is disabled, but it can be enabled manually.
  1. DNS hijacking risks
  2. DoH technology in Yandex Browser
  3. Enable encryption of DNS requests

DNS hijacking risks

To access an internet site, you need to know its IP address. It's easier for users to remember domain names (the letters comprising the site address) than the string of numbers that make up the IP address. DNS is a distributed system for getting the IP addresses that correspond to domain names.

When a user enters a website address in Yandex Browser with encryption disabled, this is what happens:

  1. The browser sends a request specifying the domain to a special DNS server.
  2. The DNS server returns a response with the appropriate physical IP address.
Attention. The DNS server request and response are transmitted openly, without encryption.

The lack of encryption means that:

  • The internet provider or network administrator can find out which sites a user is visiting.
  • Attackers can tamper with the response from the DNS server and redirect the user to a malicious site. For example, instead of going to a bank's website, a user might end up on a fake site that steals passwords.

DoH technology in Yandex Browser

DoH relies on encryption to protect users from DNS hijacking and spoofing. When you enter a website address in Yandex Browser with encryption enabled, the following happens:

  1. DoH encrypts your computer's DNS request using the TLS protocol.
  2. The encrypted request is sent as an HTTPS GET or POST request to a DoH-enabled DNS server.
  3. The DNS server then sends the encrypted IP address to your computer over the HTTP or HTTP/2 protocol.

Encrypting traffic between Yandex Browser and the DNS server means that:

  • Network administrators and internet service providers can't track your DNS requests or know which websites you visit.
  • Hackers can't tamper with the DNS server's response or direct Yandex Browser to malicious sites.

Enable encryption of DNS requests

  1. Click  → Settings.
  2. Go to the Security tab at the top of the page.
  3. Under Secure connection, select Use a secure DNS server.
  4. If necessary, select a service provider from the drop-down list. By default, it's set to Use the current service provider.