While the title of this blog implies it deals with encrypted DNS in general (and there's a brief mention of DNS-over-TLS (DoT)), the advice mainly deals with the use of DNS-over-HTTPS (DoH).
It's a fairly concise document—for a government organization, 7 pages is almost a press release—so I'll leave it up to you to read the whole thing. But there are some interesting points made in there about DoH that might not be obvious if you're not so familiar with the topic.
Their list of issues with DoH is a pretty good summary of concerns:
A false sense of security
Bypassing DNS monitoring and protections
Concerns for internal network configurations and information
Exploitation of upstream DNS traffic
The most important concern for our customers is the second here: bypassing DNS monitoring and protections.
The way that DoH is implemented—or in the process of being implemented—right now is all over the place: At the operating system level, at the application level, sometimes upgraded automatically, sometimes not, and the prevention or signaling mechanisms are in no way standardized. Since DoH works by tunneling DNS traffic over HTTPS, it makes it non-trivial to detect and block.
The upshot is that if you have, let's say, an excellent DNS filtering provider in place, a real concern is that DoH is going to bypass the great value and top notch protection (ahem) you're paying for.
The NSA and third party resolvers
The headline most news sites have gone with focuses on a key takeaway: "Only use the enterprise DNS resolver and disable all others". What they're saying here is not that all external DNS resolvers are bad—just that you should control what goes in and out of your network.
For our customers, this effectively means sticking with the local relay (which would be the enterprise resolver in this instance) to funnel DNS requests through to our servers.
It's an interesting piece of advice from an organization famous for its desire to inspect all network traffic. There's a whole discussion of whether or not their motivations are mostly self-serving or not, but the recommendation is basically solid.
For DNSFilter customers, the best way to prevent DoH from being used is to block the Proxy & Filter Avoidance category. This stops any initial communication to DoH servers from taking place. For example, Firefox will be unable to contact a valid DoH server to start using it if the DoH server itself is blocked. Ultimately there's no real way to block a really determined actor from hiding their traffic, but this is an effective way of stopping the automatic use of DoH.
I think the real significance of this article is the fact that the NSA has released it at all. There's nothing really new in the document, and most people following the topic will be aware of the issues and blocking strategies discussed. But for a huge three-letter agency to put this out there, it signals a public acceptance that there are definite issues to be addressed with DoH as it stands.
My hope is that this acknowledgement will give a bit of a kick to some of the bigger players in the space. We need a proper DNS discovery protocol and mechanism for disabling it—or really, for enabling it, as it really shouldn't be automatically enabled.
And perhaps this might encourage companies to listen to the people who have already been voicing their concerns over DoH. They’ve been banging their drums about opt-in by default, lack of a discovery mechanism, and even the potentially negative impact on international policies. So far though, most of these issues have effectively been steamrolled over.
Cybersecurity best practices are considered to be a mostly stable set of guidelines that advise organizations on the safest way to protect their digital holdings. Every once in a while, however, there are shakeups within these otherwise established best practices. Governing bodies issue new regulations, high-profile cyber attacks expose developing threats, and global events place pressure on existing cybersecurity measures.
DNSFilter has been named a leader in Secure Web Gateway, DNS Security, and Web Security categories on G2, earning an impressive 29 badges and named in 29 reports. This includes new badges such as High Performer EMEA and Leader Americas in the Web Security category.
These accolades are a testament to our commitment to our customers. We are particularly proud of our badges for ease of implementation, administration, and quality support. Providing ...