DNS over HTTPS is a new protocol that protects domain-lookup traffic from interception and manipulation by malicious parties. Instead of the end user’s device communicating with a DNS server over a plain channel—as DNS has done for more than three decades—DoH, as we know DNS over HTTPS, encrypts requests and responses using web-based encryption. The same encryption is trusted to send and receive HTTPS traffic.
Using DoH or a similar protocol known as DoT—short for DNS over TLS—is a no-brainer in 2021, since DNS traffic can be sensitive like any other data sent over the Internet. On Thursday, however, the National Security Agency said some Fortune 500 companies, large government agencies, and other corporate users are better off not using it. The reason: the same encryption that prevents malicious third parties can thwart engineers’ efforts to secure their networks.
“DoH provides the benefit of encrypted DNS transactions, but it can also bring issues to companies, including a false sense of security, circumvention of DNS monitoring and safeguards, concerns for internal network configurations and information, and misuse of upstream DNS traffic,” NSA officials wrote published recommendations. “In some cases, individual consumer applications can activate DoH using external solutions, causing some of these issues automatically.”
More about potential harms of DoH later. First, a quick refresher on how the DNS-short for domain name system works.
When people send email, browse a website, or do just about anything else on the Internet, their devices need a way to translate a domain name into an IP address number servers use to find other servers. For this, the devices send a local lookup request to the DNS resolver, which is a server or group of servers that is typically the ISP, or business organization that the user is connected to.
If the DNS resolver knows the IP address for the requested domain, it will immediately send it back to the end user. If not, the resolver forwards the request to an external DNS server and waits for a response. Once the DNS server has a response, it sends the corresponding IP address to the client machine.
The diagram below shows a typical configuration in many enterprise networks:
Surprisingly, this process is by default unencrypted. That means that anyone with the ability to monitor the connection between an organization’s end users and a DNS resolver—say, a malicious eavesdropper or a hacker who already has a toe in the network—can build a comprehensive account of every domain and address. The IP these people connect to. Worryingly, this malicious group may also be able to send users to malicious sites by replacing the correct local IP address with a malicious one.
A double-edged sword
DoH and DoT were created to fix all this. According to transport layer security encryption encrypts web traffic and keeps it from prying eyes, DoH and DoT do the same for DNS traffic. Currently, DoH and DoT are additional safeguards that require additional work on the part of the end users of the administrators who serve them.
The easiest way for people to get these protections now is to reset their operating system (eg Windows 10 or macOS), browser (eg Firefox or Chrome), or other equipment that supports either DoH or DoT.
Thursday’s recommendations from the NSA warned that these types of arrangements could put companies at risk — especially when security involves the DoH. The reason: The DoH of the device works beyond network defenses like DNS inspection, which monitors domain lookups and IP address responses for signs of malicious activity. Instead of traffic passing through the company’s firewalled DNS server, the configured DoH on the end user’s machine packages it into an encrypted envelope and sends it to an external DoH resolver.
NSA officials wrote:
Many companies use corporate DNS resolvers or external DNS providers as a key element in the overall network security architecture. These secure DNS services can filter domains and IP addresses based on known malicious domains, restricted content categories, reputation information, typing protections, advanced analysis, DNS Security Extensions (DNSSEC) validation , or other reasons. When DoH is used with external DoH resolutions and the corporate DNS service is bypassed, the organization’s devices can lose these important protections. This also prevents local DNS level caching and the performance improvements it can bring.
Malware can also use DoH to perform DNS lookups that bypass enterprise DNS resolvers and network monitoring tools, often for command and control or exclusion purposes.
There are other risks as well. For example, when an end-user device with DoH enabled tries to connect to a domain in the corporate network, it will first send a DNS query to an external DoH resolution. Even if the query ultimately fails to the corporate DNS server, it can still reveal internal network information in the process. What’s more, searching for internal domains to an external destination can create network performance problems.
The image immediately below shows how DoH with an external resolution can completely bypass the corporate DNS server and the many security measures it can provide.
Bring your own DoH
The answer, said Thursday’s recommendations, is for companies that want the DoH to rely on their own DoH-powered decisions, which in addition to stating the request and returning the response also provide inspection, logging, and other safeguards. .
The recommendation goes on to say that companies should configure network security devices to block all known external DoH servers. Blocking outgoing DoT traffic is fairly straightforward, as it often travels on port 853, which companies can block wholesale. That option is not available for blocking outgoing DoH traffic because it uses port 443, which cannot be blocked.
The diagram below shows the recommended insurance company setup.
DoH from outside locations is fine for people connecting from home or small offices, Wednesday’s recommendations said. I’ll go one step further and say that it’s nothing short of crazy for people to use unencrypted DNS in 2021, after all the revelations of the past decade.
For companies, things are more nuanced.