Internet DoH Border Control by Patrick Taylor

DoH, or DNS over HTTPS (RFC 8484), is  a relatively new protocol that provides increased privacy and security. It does this by encrypting DNS queries and responses, which prevents eavesdropping and man-in-the-middle attacks. Instead of using a regular DNS resolver, queries are encrypted and sent to a DoH-enabled server,  making them indistinct from web traffic.

Sounds great in theory. Encryption = greater security? Not so fast there.

Pre-DoH, DNS servers were configured at the operating system level. Home users usually trust their ISPs to handle name resolutions and enterprises often run their own internal servers. However, with DoH, servers are configured at the application level – which bypasses the operating system settings.

By circumventing the operating system’s DNS configuration, DoH becomes a big headache for tech support, system administrators, and, most importantly, enterprises that need to control and audit DNS activities for protection or regulatory reasons.

There’s a very interesting Internet Draft that explains in more detail the technical and regulatory challenges presented by DoH: “DNS over HTTPS (DoH) Considerations for Operator Networks” (5)

Can you afford for your security settings to be bypassed?

DNS firewalls and auditing are easy and popular ways to protect endpoints, apply parent control and detect compromised systems. DoH bypasses the existing security infrastructure and policies, including hardware, software (such as firewalls, AD policies, intrusion detection systems, etc.), training, and resource management. Enterprises have invested A LOT of time and money in all of these.

While DoH is great in theory, organizations will run into all sorts of technical, policy and regulatory issues with its use.

  • Malware is likely to crop up to exploit this new technology avoiding security mechanisms to reach its command and control systems or drop zones. In fact, Godlua was discovered in July 2019 already doing so (1)
  • DNS Firewalls become ineffective. Traffic can’t be filtered at the DNS level, which means bypassing local policies and, for example, allowing employees to access social media or other prohibited resources at work.
  • Regulations like GDPR are impacted as DoH servers may be operated in a jurisdiction distinct from its users. And DNS queries and IP addresses considered PII in some jurisdictions, and therefore subject to data protection and retention regulations, may not be treated the same way at the physical location of the DoH server
  • Split DNS scenarios, where distinct responses are provided depending on the requester location (internal or external enterprise networks, for example), aren’t possible anymore
  • Private/internal DNS names may be leaked
  • Incident response and threat hunting become far more complex
  • Tech support troubleshooting changes significantly as now applications and the operating system use distinct DNS resolvers
  • Network operators won’t be able to perform DNS blocking and filtering to handle take down notices or comply with court orders
  • Access control lists based on threat intelligence data feeds can be circumvented
  • DNS traffic can’t be audited
  • Parental controls are bypassed
  • CDNs that rely on DNS to direct traffic to cache nodes are no longer able to use the same technique
  • Performance may be impacted by TLS setup times and larger RTTs as queries are sent to servers outside of the enterprise or ISP network (3)(4)

And if all that’s not enough to be wary of DoH, consider this: DoH service providers know IP addresses and DNS queries. And it is unclear how this data can be used by them.  Also, there are only so many DoH providers these days, which concentrates the control over DNS responses in only a few companies. That is dangerous and the opposite of what DNS should be – a hierarchical and decentralized system. It is a threat to Net Neutrality. Recently, we wrote about the benefits of using Malware Patrol over free DNS protection services – the same goes with DoH.


Even Mozilla, who announced that DoH will be turned on by default on Firefox, knows that it isn’t a good solution for everyone:

“While we would like to encourage everyone to use DoH, we also recognize that there are a few circumstances in which DoH can be undesirable (…)” (2)

 

What’s the best way to keep enterprise systems secure from DoH?

Instead of trying to roll out DoH configuration and lock down all your systems, it’s easier to supply your firewall and/or IDS with an up-to-date feed of active DoH servers. This protects the investment already made in security mechanisms, policies and procedures.

This is why Malware Patrol has created a data feed of DoH resolvers that our customers can use to prevent access, ensuring their carefully configured and security-compliant environments remain under their control.

While DoH sounds like a good way to remain private while accessing the Internet, it’s best left to people to implement in their homes. For enterprises, it’s simply not a tenable privacy solution at this time.

  1. https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-https-protocol/
  2. ttps://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
  3. https://www.samknows.com/blog/dns-over-https-performance
  4. https://arxiv.org/abs/1907.08089
  5. https://www.ietf.org/archive/id/draft-doh-reid-operator-00.txt

 

Andre Correa

CEO and Founder, Malware Patrol

Andre Correa - Malware PatrolInformation Security and Threat Intelligence Professional whose qualifications include in-depth knowledge of Internet technologies, current cyber security landscape, incident response, security mechanisms and best practices. He founded the Malware Patrol project in 2005. The company's historically rich data is derived from diverse sources and now used by thousands, in more than 175 countries, to correlate, detect and prevent cyberattacks.