DoH : Towards more Privacy
The Domain Name System ( DNS) was developed to serve as the address book for the internet. Built with scalability and consistency in mind, there was no consideration about how it could be exploited, manipulated, misused or even harnessed for good. The need for DNS protection can no longer be overlooked as an integral component of the internet. DNS is often targeted by bad actors, and protection of DNS layers is increasingly seen as an integral control of security. In terms of making networks more resilient to cyberattacks, it is the perfect control point, since all Internet resource lookups, network and user-based, need to be routed via external DNS servers. Unfortunately, organizations are often content to let their ISP handle their DNS requests. Thus, they have no insight into which requests are being made and responded to.
DNS over HTTPS (DoH)
Since its inception in 1983, the DNS has scaled to hold over 335 million domains which act as the gateways to billions of URLs. A far-seeing and brilliant solution, the DNS was built around performance and scalability. By simply looking at organizations’ or individuals’ DNS requests, it is easy to determine how the internet is being used, from where and when websites are browsed, applications accessed, and even what devices and tools are in use on your network. And, since each of these requests is not encrypted (nor is the DNS resolver verified), clear text DNS not only exposes this information but also exposes the integrity of the responses to compromise. Privacy and security were not a consideration. DoH seeks to address that.
DoH: Improving Privacy and Security
DNS over HTTPS is specifically designed to address the fundamental privacy and security limitations of DNS. Much like how a browser connects to a secure website through HTTPS, DoH allows DNS requests to be secured. First the resolving server is verified through a certificate, and then an SSL connection established. All DNS requests can then be communicated over this connection, encrypted and protected courtesy of HTTPS. Privacy is improved as encrypted DoH requests are not easily monitored or intercepted. DoH also adds assurance that only the DNS provider of choice is aware of these DNS requests. Likewise, security is improved by encrypting DNS requests. Not only does this verify that the DoH DNS resolver specified is the one providing resolution, but it also ensures that the requests themselves are protected and have not been altered or compromised.
DoH: How Encryption Causes Security Problems
Since DoH can manage DNS requests for applications directly, it has the potential to circumvent the configured DNS resolver provided on your network. This can cause new security and technical problems for organizations. As an example, if a device is making DNS requests for a domain which hosts known botnet or malware sites, it would be important to have visibility into these actions and make corresponding security decisions. But, when these DNS requests are managed directly by an application through DoH, network logs no longer provide visibility into whether those DNS requests are occurring. Unmanaged DoH, in effect, blindsides existing security controls. Furthermore, DoH can also circumvent most commercial DNS filtering solutions. When a DNS request is made directly by an application through DoH and not through the DNS resolver provided by the OS, filtering cannot be applied. Not only is the system exposed to the threat, but the event itself won’t be logged. Losing the ability to filter and report on DNS requests considerably weakens overall network security.
Conclusion
DoH is an important new protection for DNS requests. It will improve the overall privacy and security of the DNS requests every organization makes using the internet. But it’s also important that organizations adopt this technology without losing the significant security benefits they get by managing and controlling DNS request traffic today.
