DNS over HTTPS (DoH) is making newsheadlines again and causing some consternation in enterprise security circles. With Microsoft coming out with support for DoH for Windows 10 in 1H2021, on top of Firefox and Google Chrome’s existing support, enterprises need to consider how to approach DoH. This blog unpacks the background on DoH, the impact on security, highlights the issues for enterprises, and makes a recommendation for an enterprise strategy around DNS and DoH.
DNS is something near and dear to our hearts at HYAS. HYAS Insight provides some of the world’s best historical domain WHOIS data, passive DNS data, and proprietary WHOIS information. Our expertise around adversary command and control (C2) and phishing infrastructure is core to how we help enterprises understand and identify their cyber adversaries, and key to the proactive and pre-emptive defense provided by HYAS Protect, so the evolution of DNS is of keen interest.
DNS is a foundational technology for the internet; like a phonebook, you enter a domain into your browser and DNS provides back the IP address of your destination. Today’s DNS also enables enterprise security tools like firewalls, secure web gateways, and cloud access security brokers to block users from going to known bad places.
While some enterprises are taking initial steps with DNS-based intelligence to protect their users, there are situations where privacy around the DNS traffic is also important. If you are an activist or journalist in a repressive country, the privacy of DNS traffic is tantamount. One does not want a repressive government snooping to know where you go on the internet, as the personal ramifications of such snooping could lead to imprisonment or worse. DoH is currently gestating as a proposed IETF standard backed by Mozilla Firefox and Google Chrome partly because it offers the prospect of improved privacy for DNS communication.
The privacy provided by DoH shifts the equation of who has visibility to traffic. While today this would be your friendly enterprise IT department and/or your ISP, DoH will shift things to whoever resolves the DoH request (i.e. the DoH resolver translating the request into an IP address).
You can use a VPN today to shield traffic from prying eyes, but DoH takes things a step further. DoH queries are sent to specific DoH-capable DNS servers (called DoH resolvers) which resolve the DNS queries inside DoH requests, and provide encrypted responses to the users. Visibility to the telemetry shifts from the enterprise or ISP to whomever is providing the DoH resolver.
Most of today’s DNS servers do not support DoH yet, so apps that currently support DoH include lists of hardcoded DoH resolvers. This separates DoH from the operating system's regular DNS settings. And users can modify DoH settings in their endpoint browsers. System administrators already have challenges in warding off DNS hijack attacks, and the prospect of countless apps with their own DoH settings makes monitoring for DNS hijacking almost impossible.
Employees wanting to circumvent existing enterprise controls will find DoH to be quite convenient. But once DoH is started, things quickly get complicated. Users might start with visiting an ‘NSFW’ site via DoH, but DoH remains enabled and that same user might subsequently visit a phishing site or one infected with malware. While enterprise IT today has visibility to DNS traffic flowing as clear text, DoH means they will lose that visibility. This risks having DoH being used as a channel for malware, data exfiltration or other malicious activity. IT will not have visibility to the traffic by virtue of DoH sending via standard port 443 used by HTTPS. A recent SANS whitepaper highlighted the issue.
While DoH is one path forward, another path lies in using DNS over TLS (DoT), a protocol similar to DoH that encrypts the DNS connection inside TLS using Port 853 rather than using the DoH approach of putting DNS traffic inside an HTTPS connection.
Maintaining privacy is important, particularly for consumers in situations where they are dealing with an authoritarian regime. Enterprise security teams have a conundrum in that it is best to not sacrifice security in favor of privacy. Both DoT and DoH are a challenge for IT security because the enterprise loses access to DNS telemetry.
We created HYAS Protect to block threats and provide enterprises with needed DNS-based intelligence to proactively and pre-emptively keep their data, users, and devices safe. While HYAS Protect supports both DoT and DoH, DoT is preferable to DoH because of DoT’s ability to segregate network traffic. For optimal DNS usage, we would recommend using HYAS Protect, enabling DoT for added privacy but with the ability to monitor the DNS traffic and keep your enterprise safe, and blocking the IP addresses for known DoH resolvers. This ensures that users get the benefit of increased privacy, the enterprise gets the benefit of advanced protection from DNS signals and HYAS Protect, and nefarious users, malware and other infections cannot “slip through” via DoH.
