What The NSA’s Advice on Encrypted DNS Really Tells Us

The NSA has recently released advice on the adoption of encrypted DNS in enterprise environments.

Encrypted DNS: The NSA’s opinion on DoH

While the title of this blog implies it deals with encrypted DNS in general (and there's a brief mention of DNS-over-TLS (DoT)), the advice mainly deals with the use of DNS-over-HTTPS (DoH).

It's a fairly concise document—for a government organization, 7 pages is almost a press release—so I'll leave it up to you to read the whole thing. But there are some interesting points made in there about DoH that might not be obvious if you're not so familiar with the topic.

Their list of issues with DoH is a pretty good summary of concerns:

  • A false sense of security
  • Bypassing DNS monitoring and protections 
  • Concerns for internal network configurations and information
  • Exploitation of upstream DNS traffic

The most important concern for our customers is the second here: bypassing DNS monitoring and protections.

The way that DoH is implemented—or in the process of being implemented—right now is all over the place: At the operating system level, at the application level, sometimes upgraded automatically, sometimes not, and the prevention or signaling mechanisms are in no way standardized. Since DoH works by tunneling DNS traffic over HTTPS, it makes it non-trivial to detect and block.

The upshot is that if you have, let's say, an excellent DNS filtering provider in place, a real concern is that DoH is going to bypass the great value and top notch protection (ahem) you're paying for.

The NSA and third party resolvers

The headline most news sites have gone with focuses on a key takeaway: "Only use the enterprise DNS resolver and disable all others". What they're saying here is not that all external DNS resolvers are bad—just that you should control what goes in and out of your network.

For our customers, this effectively means sticking with the local relay (which would be the enterprise resolver in this instance)  to funnel DNS requests through to our servers.

It's an interesting piece of advice from an organization famous for its desire to inspect all network traffic. There's a whole discussion of whether or not their motivations are mostly self-serving or not, but the recommendation is basically solid.

For DNSFilter customers, the best way to prevent DoH from being used is to block the Proxy & Filter Avoidance category. This stops any initial communication to DoH servers from taking place. For example, Firefox will be unable to contact a valid DoH server to start using it if the DoH server itself is blocked. Ultimately there's no real way to block a really determined actor from hiding their traffic, but this is an effective way of stopping the automatic use of DoH.

I think the real significance of this article is the fact that the NSA has released it at all. There's nothing really new in the document, and most people following the topic will be aware of the issues and blocking strategies discussed. But for a huge three-letter agency to put this out there, it signals a public acceptance that there are definite issues to be addressed with DoH as it stands.

My hope is that this acknowledgement will give a bit of a kick to some of the bigger players in the space. We need a proper DNS discovery protocol and mechanism for disabling it—or really, for enabling it, as it really shouldn't be automatically enabled.

And perhaps this might encourage companies to listen to the people who have already been voicing their concerns over DoH. They’ve been banging their drums about opt-in by default, lack of a discovery mechanism, and even the potentially negative impact on international policies. So far though, most of these issues have effectively been steamrolled over.

But that's a whole other blog post on its own. 

For further reading on the downsides of DoH, check out my previous article.

Don't miss our upcoming webinar on February 17 all about DoH and DoT.

  • There are no suggestions because the search field is empty.
Latest posts
Mid-Winter Nights Hallucinations: Some Thoughts on Our New GenAI Category Mid-Winter Nights Hallucinations: Some Thoughts on Our New GenAI Category

AI, LLM, generative content, NLP, big data, neural processing, machine learning, GPT. In 2023 it's undeniable that these were some of the most heard terms from various businesses, news outlets and the social media sphere. Ultimately this alphabet soup can mean just as much as it sometimes doesn’t—and, as often is the case, the internet leans into the trend.Sites popped up everywhere—some reputable while others less so—promising cyberpunk profile ...

DNSFilter Awarded 20 Badges in The 2024 Winter G2 Awards DNSFilter Awarded 20 Badges in The 2024 Winter G2 Awards

DNSFilter named in 27 reports and awarded 20 badges. 9 badges in DNS security category, 11 badges in Secure Web Gateway.

DNSFilter CEO Comments on Quad9’s Win for Protective DNS DNSFilter CEO Comments on Quad9’s Win for Protective DNS

The recent ruling by the Higher Regional Court, which exonerates Quad9 of liability under German and European law, is a significant win in the protective DNS space, asserting that DNS resolvers do not play a central role in copyright-infringing activities. This decision is a step toward preserving the impartiality of DNS resolvers and highlights the necessity for clear legal frameworks that define the roles and responsibilities of technology prov...

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.