DNS-over-HTTPS (DoH)

In the Business Environment

Privacy for the Masses

DNS-over-HTTPS, or DoH, is a relatively new protocol that was developed with the goal of providing increased privacy and security. To achieve this, DNS queries are encrypted and sent to a DoH-enabled server which makes them indistinct from web traffic.

While rooted in a positive quest for Internet privacy, DNS-over-HTTPS has been controversial since its beginning. The debate around it boils down to the fact that its seems to have been primarily designed with the individual or home user in mind — or at the very least, the impact it would have on network security in a business setting was underestimated and/or overlooked.

DNS-over-HTTPS Bypasses Your Security Settings

Before DoH, DNS servers were configured at the operating system level. With DoH, servers are configured at the application level, bypassing the operating system’s settings. As a result, many of the policies and tools used by tech support, system administrators and enterprise security teams to control and audit DNS-level activities are made ineffective.

For example, DNS firewalls and auditing are easy and popular ways to protect endpoints, apply parental controls and detect compromised systems. DoH bypasses the existing security infrastructure and policies, including hardware, software (firewalls, IDS, etc.), training, and resource management. Enterprises have invested A LOT of time and money in all of these.

As a result, organizations are likely to encounter a myriad of technical, policy, and regulatory issues with the use of DoH:

  • DNS Firewalls become ineffective; users can bypasses local policies and, for example, access social media or other prohibited resources
  • DNS traffic can’t be audited
  • Access control lists based on threat intelligence data feeds can be circumvented
  • Split DNS scenarios are no longer possible
  • Private/internal DNS names may be leaked
  • Regulations like GDPR are impacted as DoH servers may be operated in a jurisdiction other than that of its users
  • Incident response and threat hunting become far more complex
  • Tech support troubleshooting changes significantly as now applications and the operating system use distinct DNS resolvers
  • Network operators won’t be able to perform DNS blocking and filtering to handle take down notices or comply with court orders
  • CDNs that rely on DNS to direct traffic to cache nodes are no longer able to use the same technique
  • New cyber threats that take advantage of the lack of visibility. Godlua malware has already been found exploiting DoH. The malware uses the protocol’s encryption to freely establish communication with the command and control (C&C) server.

And if all that’s not enough to be wary of DoH, consider this: DoH service providers know IP addresses and DNS queries. And it is unclear how this data can be used by them. As there is only a small group of DoH providers these days, this concentrates the control over DNS responses in only a few companies. That is dangerous and the opposite of what DNS should be – a hierarchical and decentralized system. It is a threat to Net Neutrality.

Prevent the Use of DoH in Your Network

There are some options to help control the use of DoH in the business environment. For example, preventing applications from configuring DoH servers and blocking the use of browsers that have DoH enabled are workarounds.

Another way is to supply your firewall and/or IDS with an up-to-date feed of active DoH servers to prevent access to them altogether. This protects the investment already made in security mechanisms, policies and procedures – and requires the least amount of change to the current environment. This is why Malware Patrol has created a data feed of DoH resolvers that our customers can use to prevent access, ensuring their carefully configured and security-compliant environments remain under their control.

 

Data Feed Details

m

CONTENTS

 

– JSON-formatted feed

– Three (3) versions available:

     -FQDN of the DoH server

     -IPv4 address(es) and geo-location information

     -IPv6 address(es) and geo-location information

b

FEATURES

 

– Unlimited downloads

– Hourly updates

– Full commercial license.

 

DOH Resources

We compiled the following articles about DNS-over-HTTPS from a variety of sources. Because it is a topic that often generates debate, we encourage you to read more from experts in the industry to learn more about it and figure out how it will impact your company and/or your customers. Our team has ongoing research in this subject area and would be interested in any feedback or questions you may have. Contact us!

DoH Origins

DNS Queries over HTTPS (DoH)
Internet Engineering Task Force (IETF) Request for Comments (RFC): 8484
October 2018

This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.

DNS over HTTPS (DoH) Considerations for Operator Networks
Internet Engineering Task Force (IETF) Internet-Draft
September 9, 2019

The introduction of DNS over HTTPS (DoH), defined in RFC8484, presents a number of challenges to network operators. These are described in this document. 

Ongoing Discussion Regarding DoH
Internet Engineering Task Force (IETF)