What The NSA’s Advice on Encrypted DNS Really Tells Us

The NSA has recently released advice on the adoption of encrypted DNS in enterprise environments.

Encrypted DNS: The NSA’s opinion on DoH

While the title of this blog implies it deals with encrypted DNS in general (and there's a brief mention of DNS-over-TLS (DoT)), the advice mainly deals with the use of DNS-over-HTTPS (DoH).

It's a fairly concise document—for a government organization, 7 pages is almost a press release—so I'll leave it up to you to read the whole thing. But there are some interesting points made in there about DoH that might not be obvious if you're not so familiar with the topic.

Their list of issues with DoH is a pretty good summary of concerns:

  • A false sense of security
  • Bypassing DNS monitoring and protections 
  • Concerns for internal network configurations and information
  • Exploitation of upstream DNS traffic

The most important concern for our customers is the second here: bypassing DNS monitoring and protections.

The way that DoH is implemented—or in the process of being implemented—right now is all over the place: At the operating system level, at the application level, sometimes upgraded automatically, sometimes not, and the prevention or signaling mechanisms are in no way standardized. Since DoH works by tunneling DNS traffic over HTTPS, it makes it non-trivial to detect and block.

The upshot is that if you have, let's say, an excellent DNS filtering provider in place, a real concern is that DoH is going to bypass the great value and top notch protection (ahem) you're paying for.

The NSA and third party resolvers

The headline most news sites have gone with focuses on a key takeaway: "Only use the enterprise DNS resolver and disable all others". What they're saying here is not that all external DNS resolvers are bad—just that you should control what goes in and out of your network.

For our customers, this effectively means sticking with the local relay (which would be the enterprise resolver in this instance)  to funnel DNS requests through to our servers.

It's an interesting piece of advice from an organization famous for its desire to inspect all network traffic. There's a whole discussion of whether or not their motivations are mostly self-serving or not, but the recommendation is basically solid.

For DNSFilter customers, the best way to prevent DoH from being used is to block the Proxy & Filter Avoidance category. This stops any initial communication to DoH servers from taking place. For example, Firefox will be unable to contact a valid DoH server to start using it if the DoH server itself is blocked. Ultimately there's no real way to block a really determined actor from hiding their traffic, but this is an effective way of stopping the automatic use of DoH.

I think the real significance of this article is the fact that the NSA has released it at all. There's nothing really new in the document, and most people following the topic will be aware of the issues and blocking strategies discussed. But for a huge three-letter agency to put this out there, it signals a public acceptance that there are definite issues to be addressed with DoH as it stands.

My hope is that this acknowledgement will give a bit of a kick to some of the bigger players in the space. We need a proper DNS discovery protocol and mechanism for disabling it—or really, for enabling it, as it really shouldn't be automatically enabled.

And perhaps this might encourage companies to listen to the people who have already been voicing their concerns over DoH. They’ve been banging their drums about opt-in by default, lack of a discovery mechanism, and even the potentially negative impact on international policies. So far though, most of these issues have effectively been steamrolled over.

But that's a whole other blog post on its own. 

For further reading on the downsides of DoH, check out my previous article.

Don't miss our upcoming webinar on February 17 all about DoH and DoT.

  • There are no suggestions because the search field is empty.
Latest posts
Traversing the World of AI with Judy Security Traversing the World of AI with Judy Security

Raffaele Mautone, CEO of Judy Security, recently joined us for an interview session around the increasing presence of AI in cybersecurity. This insightful Q&A session sheds light on how AI is integrated into Judy Security's operations. Raffaele also touches on the broader implications of AI for the future, making a compelling case for its strategic use in both day-to-day operations and long-term security strategies.

Exploring the Security of Free Public Wi-Fi with eero Exploring the Security of Free Public Wi-Fi with eero

There is no doubt that Wi-Fi has become an essential part of our daily lives, enabling us to stay connected whether we're at home, at work, or on the go. However, the convenience of wireless networks comes with significant security risks that can compromise personal and sensitive information. 

Revving Up the Fun: DNSFilter's IndyCar Experience Recap —Laguna Seca Edition Revving Up the Fun: DNSFilter's IndyCar Experience Recap —Laguna Seca Edition

Another exciting race weekend with Juncos Hollinger Racing and Romain Grosjean has come to a close! We co-hosted the IndyCar race at Laguna Seca road course with our pals at Pax8, our logos alongside each other on Grosjean’s No. 77 car. Clearly this teamwork paid off, with Romain finishing the race in his team-best position!

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.