The NSA has recently released advice on the adoption of encrypted DNS in enterprise environments.
While the title of this blog implies it deals with encrypted DNS in general (and there's a brief mention of DNS-over-TLS (DoT)), the advice mainly deals with the use of DNS-over-HTTPS (DoH).
It's a fairly concise document—for a government organization, 7 pages is almost a press release—so I'll leave it up to you to read the whole thing. But there are some interesting points made in there about DoH that might not be obvious if you're not so familiar with the topic.
Their list of issues with DoH is a pretty good summary of concerns:
The most important concern for our customers is the second here: bypassing DNS monitoring and protections.
The way that DoH is implemented—or in the process of being implemented—right now is all over the place: At the operating system level, at the application level, sometimes upgraded automatically, sometimes not, and the prevention or signaling mechanisms are in no way standardized. Since DoH works by tunneling DNS traffic over HTTPS, it makes it non-trivial to detect and block.
The upshot is that if you have, let's say, an excellent DNS filtering provider in place, a real concern is that DoH is going to bypass the great value and top notch protection (ahem) you're paying for.
The headline most news sites have gone with focuses on a key takeaway: "Only use the enterprise DNS resolver and disable all others". What they're saying here is not that all external DNS resolvers are bad—just that you should control what goes in and out of your network.
For our customers, this effectively means sticking with the local relay (which would be the enterprise resolver in this instance) to funnel DNS requests through to our servers.
It's an interesting piece of advice from an organization famous for its desire to inspect all network traffic. There's a whole discussion of whether or not their motivations are mostly self-serving or not, but the recommendation is basically solid.
For DNSFilter customers, the best way to prevent DoH from being used is to block the Proxy & Filter Avoidance category. This stops any initial communication to DoH servers from taking place. For example, Firefox will be unable to contact a valid DoH server to start using it if the DoH server itself is blocked. Ultimately there's no real way to block a really determined actor from hiding their traffic, but this is an effective way of stopping the automatic use of DoH.
I think the real significance of this article is the fact that the NSA has released it at all. There's nothing really new in the document, and most people following the topic will be aware of the issues and blocking strategies discussed. But for a huge three-letter agency to put this out there, it signals a public acceptance that there are definite issues to be addressed with DoH as it stands.
My hope is that this acknowledgement will give a bit of a kick to some of the bigger players in the space. We need a proper DNS discovery protocol and mechanism for disabling it—or really, for enabling it, as it really shouldn't be automatically enabled.
And perhaps this might encourage companies to listen to the people who have already been voicing their concerns over DoH. They’ve been banging their drums about opt-in by default, lack of a discovery mechanism, and even the potentially negative impact on international policies. So far though, most of these issues have effectively been steamrolled over.
But that's a whole other blog post on its own.
For further reading on the downsides of DoH, check out my previous article.
Don't miss our upcoming webinar on February 17 all about DoH and DoT.