In The Business Environment
Privacy for the Masses
DNS-over-HTTPS, or DoH, is a relatively new protocol that was developed with the goal of providing increased privacy and security. To achieve this, DNS queries are encrypted and sent to a DoH-enabled server which makes them indistinct from web traffic.
While rooted in a positive quest for Internet privacy, DOH has been controversial since its beginning. The debate around it boils down to the fact that its seems to have been primarily designed with the individual or home user in mind — or at the very least, the impact it would have on network security in a business setting was underestimated.
DNS-over-HTTPS Bypasses Your Security Settings
Before DoH, DNS servers were configured at the operating system level. With DoH, servers are configured at the application level, bypassing the operating system’s settings. As a result, many of the policies and tools used by tech support, system administrators and enterprise security teams to control and audit DNS-level activities are made ineffective.
For example, DNS firewalls and auditing are easy and popular ways to protect endpoints, apply parental controls and detect compromised systems. DoH bypasses the existing security infrastructure and policies, including hardware, software (firewalls, IDS, etc.), training, and resource management. Enterprises have invested A LOT of time and money in all of these.
As a result, organizations are likely to encounter a myriad of technical, policy, and regulatory issues with the use of DoH:
- DNS Firewalls become ineffective; users can bypasses local policies and, for example, access social media or other prohibited resources
- DNS traffic can’t be audited
- Access control lists based on threat intelligence data feeds can be circumvented
- Split DNS scenarios are no longer possible
- Private/internal DNS names may be leaked
- Regulations like GDPR are impacted as DoH servers may be operated in a jurisdiction other than that of its users
- Incident response and threat hunting become far more complex
- Tech support troubleshooting changes significantly as now applications and the operating system use distinct DNS resolvers
- Network operators won’t be able to perform DNS blocking and filtering to handle take down notices or comply with court orders
- CDNs that rely on DNS to direct traffic to cache nodes are no longer able to use the same technique
- New cyber threats that take advantage of the lack of visibility. Godlua malware has already been found exploiting DoH. The malware uses the protocol’s encryption to freely establish communication with the command and control (C&C) server.
And if all that’s not enough to be wary of DoH, consider this: DoH service providers know IP addresses and DNS queries. And it is unclear how this data can be used by them. As there is only a small group of DoH providers these days, this concentrates the control over DNS responses in only a few companies. That is dangerous and the opposite of what DNS should be – a hierarchical and decentralized system. It is a threat to Net Neutrality.
Prevent the Use of DoH in Your Network
There are some options to help control the use of DoH in the business environment. For example, preventing applications from configuring DoH servers and blocking the use of browsers that have DoH enabled are workarounds.
Another way is to supply your firewall and/or IDS with an up-to-date feed of active DoH servers to prevent access to them altogether. This protects the investment already made in security mechanisms, policies and procedures – and requires the least amount of change to the current environment. This is why Malware Patrol created the data feed of DoH resolvers that our customers can use to prevent access, ensuring their carefully configured and security-compliant environments remain under their control.
Data Feed Details
– JSON-formatted feed
– Three (3) versions available:
-FQDN of the DoH server
-IPv4 address(es) and geo-location information
-IPv6 address(es) and geo-location information
– Unlimited downloads
– Hourly updates
– Full commercial license.
We compiled the following articles about DNS-over-HTTPS from a variety of sources. Because it is a topic that often generates debate, we encourage you to learn more about it and figure out how it will impact your company and/or customers. Our team has ongoing research in this subject area and would be interested in any feedback or questions you may have. Contact us!
DNS Queries over HTTPS (DoH)
Internet Engineering Task Force (IETF) Request for Comments (RFC): 8484
This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.
DNS over HTTPS (DoH) Considerations for Operator Networks
Internet Engineering Task Force (IETF) Internet-Draft
September 9, 2019
The introduction of DNS over HTTPS (DoH), defined in RFC8484, presents a number of challenges to network operators. These are described in this document.
Ongoing Discussion Regarding DoH
Internet Engineering Task Force (IETF)
DoH in the News
A cartoon intro to DNS over HTTPS
A New Needle and Haystack:Detecting DNS over HTTPS Usage
Canadian Domain Name Registrar Offers New Free Cybersecurity Solution to Individuals
CISA reiterates DNS resolution requirements
Configuring Networks to Disable DNS over HTTPS
DNS-over-HTTPS causes more problems than it solves, experts say
DNS over TLS and DNS over HTTPS
DOH! DNS Over HTTPS Poses Possible Risks to Enterprises
How DNS over HTTPS Impacts Security Planning
How DoH Is Overcoming DNS Challenges
Internet giants unite to stop warrantless snooping on web histories
Mozilla’s DNS over HTTPs (DoH)
Uncle Sam to agencies: No encrypted DNS for you!
Comparing the Effects of DNS, DoT, and DoH on Web Performance
Threat Actors Using DoH
First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol
Browsers & OS
Microsoft Adds DNS-Over-HTTPS Support for Windows 10 Insiders
How to test DNS over HTTPS using Packet Monitor on Windows 10
Google introduces more intuitive privacy and security controls in Chrome
DNS over HTTPS: How to activate it on Windows 10 Build 19628
Chrome 83 adds DNS-over-HTTPS support and privacy tweaks
Google Makes DNS Over HTTPS Default in Chrome
Mozilla’s DNS-Over-HTTPS Protocol Shows India Should Be Wary of Privacy’s Geopolitical Dimensions