THAT BYPASSES YOUR SECURITY TOOLS

Before DoH, DNS servers were configured at the operating system level. With DoH, servers are configured at the application level, bypassing the operating system’s settings. As a result, many of the policies and tools used by tech support, system administrators and enterprise security teams to control and audit DNS-level activities are made ineffective.

For example, DNS firewalls and auditing are easy and popular ways to protect endpoints, apply parental controls and detect compromised systems. DoH bypasses the existing security infrastructure and policies, including hardware, software (firewalls, IDS, etc.), training, and resource management. Enterprises have invested A LOT of time and money in all of these.

As a result, organizations are likely to encounter myriad technical, policy, and regulatory issues with the use of DoH:

• DNS Firewalls become ineffective; users can bypasses local policies and, for example, access social media or other prohibited resources
• DNS traffic cannot be audited
• Access control lists based on threat intelligence data feeds can be circumvented
• Split DNS scenarios are no longer possible
• Private/internal DNS names may be leaked
• Regulations like GDPR are impacted as DoH servers may be operated in a jurisdiction other than that of its users
• Incident response and threat hunting become far more complex
• Tech support troubleshooting changes significantly as now applications and the operating system use distinct DNS resolvers
• Network operators won’t be able to perform DNS blocking and filtering to handle take down notices or comply with court orders
• CDNs that rely on DNS to direct traffic to cache nodes are no longer able to use the same technique
• New cyber threats that take advantage of the lack of visibility. Godlua malware has already been found exploiting DoH. The malware uses the protocol’s encryption to freely establish communication with the command and control (C&C) server.

One final point to consider is this: DoH service providers know IP addresses and DNS queries. And it is unclear how they can use this data. As there is only a small group of DoH providers these days, this concentrates the control over DNS responses in only a few companies. As such, it poses a threat to Net Neutrality.

CONTROL THE USE OF DOH IN YOUR ENVIRONMENT

There are some options to help control the use of DoH in the business environment. For example, preventing applications from configuring DoH servers and blocking the use of browsers that have DoH enabled are workarounds.

Another way is to supply your firewall and/or IDS with an up-to-date feed of active DoH servers to prevent access to them altogether. This protects the investment already made in security mechanisms, policies and procedures – and requires the least amount of change to the current environment.

Malware Patrol created the DoH data feed to help our customers prevent/monitor DoH access, ensuring their carefully configured and security-compliant environments remain under their control.