Privacy for the Masses

DNS-over-HTTPS, or DoH, is a relatively new protocol that was developed with the goal of providing increased privacy and security. To achieve this, DNS queries are encrypted and sent to a DoH-enabled server which makes them indistinct from web traffic.

While rooted in a positive quest for Internet privacy, DOH has been controversial since its beginning. The debate around it boils down to the fact that its seems to have been primarily designed with the individual or home user in mind — or at the very least, the impact it would have on network security in a business setting was underestimated.

DNS-over-HTTPS Bypasses Your Security Settings

Before DoH, DNS servers were configured at the operating system level. With DoH, servers are configured at the application level, bypassing the operating system’s settings. As a result, many of the policies and tools used by tech support, system administrators and enterprise security teams to control and audit DNS-level activities are made ineffective.

For example, DNS firewalls and auditing are easy and popular ways to protect endpoints, apply parental controls and detect compromised systems. DoH bypasses the existing security infrastructure and policies, including hardware, software (firewalls, IDS, etc.), training, and resource management. Enterprises have invested A LOT of time and money in all of these.

As a result, organizations are likely to encounter a myriad of technical, policy, and regulatory issues with the use of DoH:

• DNS Firewalls become ineffective; users can bypasses local policies and, for example, access social media or other prohibited resources
• DNS traffic can’t be audited
• Access control lists based on threat intelligence data feeds can be circumvented
• Split DNS scenarios are no longer possible
• Private/internal DNS names may be leaked
• Regulations like GDPR are impacted as DoH servers may be operated in a jurisdiction other than that of its users
• Incident response and threat hunting become far more complex
• Tech support troubleshooting changes significantly as now applications and the operating system use distinct DNS resolvers
• Network operators won’t be able to perform DNS blocking and filtering to handle take down notices or comply with court orders
• CDNs that rely on DNS to direct traffic to cache nodes are no longer able to use the same technique
• New cyber threats that take advantage of the lack of visibility. Godlua malware has already been found exploiting DoH. The malware uses the protocol’s encryption to freely establish communication with the command and control (C&C) server.

And if all that’s not enough to be wary of DoH, consider this: DoH service providers know IP addresses and DNS queries. And it is unclear how this data can be used by them. As there is only a small group of DoH providers these days, this concentrates the control over DNS responses in only a few companies. That is dangerous and the opposite of what DNS should be – a hierarchical and decentralized system. It is a threat to Net Neutrality.

Prevent the Use of DoH in Your Network

There are some options to help control the use of DoH in the business environment. For example, preventing applications from configuring DoH servers and blocking the use of browsers that have DoH enabled are workarounds.

Another way is to supply your firewall and/or IDS with an up-to-date feed of active DoH servers to prevent access to them altogether. This protects the investment already made in security mechanisms, policies and procedures – and requires the least amount of change to the current environment. This is why Malware Patrol created the data feed of DoH resolvers that our customers can use to prevent access, ensuring their carefully configured and security-compliant environments remain under their control.