A few days ago, the United States’ National Security Agency (NSA) released a report which spelled bad news for organizations who are relying on DNS-over-HTTPS (DoH) as their basic DNS security strategy. While the NSA concedes that there are benefits to enabling DoH, there are also plenty of risks that are typically overlooked.
How NSA Warns Against Using DoH (or Solely DoH)
The main risk of DNS-over-HTTPS, according to the latest NSA report, is that it promotes a false sense of security to organizations that adopt it, thinking it is enough to secure their DNS.
“DoH is not a panacea”, the NSA report states.
Furthermore, it’s not just that organizations believe they are more secure when implementing DNS-over-HTTPS and forego other protection layers that should be mandatory for securing their DNS traffic. DoH isn’t just not very effective as a defense, but can also actively lower the other defenses of the organization in question.
When DoH is deployed inside company networks, it can be used by malicious third parties to bypass many of the built-in security tools that rely on sniffing out classic (plaintext) DNS traffic to detect potential threats. Moreover, many DNS resolvers that function on DoH protocols are externally hosting their servers, taking them outside the enterprise’s ability to audit and control it.
The NSA recommends that all companies should not give over their DNS traffic to externally-hosted resolvers and instead make sure their DoH-capable resolver is internally hosted and under their control. So, adopting simple DoH as an enterprise security strategy for your DNS is an exceptionally bad approach.
You can read the full NSA report here: Adopting Encrypted DNS in Enterprise Environments.
Why Indeed DNS over HTTPS (DoH) Is Limited
DNS-over-HTTPS can have many advantages when you approach it correctly. It’s definitely more secure, in principle than the default previous internet protocols. It can even be construed as a possible replacement for VPNs.
While the traditional DNS protocol shared its requests and responses in plain text, easily attackable by malicious third parties, DNS-over-HTTPS communicates those in an encrypted form, making it harder for attackers to use DNS for breaches.
Simply by adopting DoH, your connection is already benefitting from an unprecedented default level of privacy and data protection. Since it came out, DoH was poised to be the new golden standard for DNS communications. In theory.
Unfortunately, just because this new encryption standard for DNS connections was issued, that doesn’t mean malicious activity didn’t also evolve to new heights. DoH makes it harder for attackers to target your organization, but it doesn’t make it impossible.
But, just as the NSA warns, many corporate decision-makers who are not exactly cybersecurity experts believe that adopting DoH is enough to keep any possible intrusion at bay. The true danger of DoH lies precisely in this false sense of security associated with its adoption.
“While DoH can help protect the privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networks unless they allow only their designated DoH resolver to be used. These essential protective DNS controls can prevent numerous threat techniques used for initial access, command, and control, and exfiltration, such as phishing links to malicious domains, connections using dynamic name resolution, and commands hidden in DNS traffic”, says the NSA report.
Potential Risks in Relying on DoH
By relying solely on DNS-over-HTTPS for their DNS security, organizations are facing numerous and significant cybersecurity risks. Here are some of them:
#1. ISPs are not fully prevented from accessing the organization’s DNS requests
Technically, DoH ensures that the Internet Service Provider (ISP) can’t see the user or organization’s DNS requests, since they are now encrypted. Actually, since DNS is not the only protocol involved in web browsing, this doesn’t mean that there are still plenty of unprotected data that can allow an ISP (or malicious third parties) to track what users and endpoints are browsing.
There are still plenty of websites out there using HTTP (instead of HTTPS), which renders a company-wide DoH pointless. Furthermore, some parts of the DoH protocol (SNI fields and OCSP connections) are still incomplete and therefore unencrypted, which can still expose the organization’s DNS records to intrusion and exploits.
#2. Accessed IPs are not hidden by DoH
Furthermore, the final destination’s IP address can’t be hidden from ISPs or from malicious third parties sniffing out your organization’s DNS activity. Even if IPs are not completely assignable to a particular website (in theory), independent cybersecurity research has proven that third parties can identify which websites are accessed just by looking at IPs, with a staggering 95% accuracy.
Any part of your DNS communications left exposed is one more vector of attack for malicious third parties looking to compromise your organization.
#3. DoH makes DNS hijacking prevention more difficult
In an organization where DoH is implemented but that’s about it as far as DNS security measures go, system admins need to constantly monitor DNS settings and queries for potential DNS hijacking attacks.
DNS hijacking is a type of DNS spoofing where attackers manage to ‘fool’ your endpoints and network that they are connecting to a legitimate domain, when in fact they are connected to a malicious server bound to infect the organization.
This is easily prevented by a reliable DNS traffic filter (our Heimdal™ DarkLayer Guard™ & VectorN Detection™), but also by the constant work of system admins to monitor the DNS settings across multiple operating systems, apps, etc.
Unfortunately, even if an organization opts to rely on the constant work of system admins, DoH makes it way harder for them to perform this monitoring work. Since admins need to track DNS requests across so many systems and apps with differing settings, DoH dramatically multiplies that work.
The NSA report states that
“Even if not formally adopted by the enterprise, newer browsers and other software may try to use encrypted DNS anyway and bypass the enterprise’s traditional DNS-based defenses.”
Essentially, that means that DoH, even if not adopted, will cripple enterprise defenses that previously worked, if not complemented by a next-gen DNS traffic filtering solution.
Best Practices for Securing Your Organization’s DNS after NSA Warns against Using DoH:
Here is how to build a sound DNS security approach for your company following the NSA recommendations.
#1. Don’t swear off DoH for good.
Like it or not, DoH is here to stay, since it’s all over the internet and can’t be avoided if you tried.
You can even enable it in your organization. By all means, you should not be deterred from enabling DoH in your organization if its advantages are a good fit for your systems. I wrote a previous guide on the best practices for enabling DNS-over-HTTPS and you can start from there to make sure you have the best mindset to start.
Just because the NSA warns against using DoH, that doesn’t mean that DoH is a bad idea all the time. You just need to employ other sound security layers to your DNS as a whole, and not be lulled into that false sense of complete security after enabling DoH.
#2. Enhance your DNS security with a truly proactive solution
In perilous times like these, when attacks are getting more and more complex, targeted, and intelligent, you need a DNS security solution that can protect you against all that.
The NSA report states that:
“Many organizations use enterprise DNS resolvers or specific external DNS providers as a key element in the overall network security architecture. These protective DNS services may filter domains and IP addresses based on known malicious domains, restricted content categories, reputation information, typosquatting protections, advanced analysis, DNS Security Extensions (DNSSEC) validation, or other reasons. When DoH is used with external DoH resolvers and the enterprise DNS service is bypassed, the organization’s devices can lose these important defenses. This also prevents local-level DNS caching and the performance improvements it can bring.”
So, another problem brought about by enabling DoH is that it can render the protection capabilities of DNS traffic filters almost useless, when those filters are acting externally, as in the DNS traffic gets sorted out outside the organization. Cloud-based DNS security solutions fall into that category, becoming less effective due to DoH, as the NSA report shows.
Our Heimdal™ Threat Prevention security solution is ideal for securing your DNS, thanks to its unique Bloom filter, using an advanced algorithm that ensures optimal performance with a glocal database. All of the DNS traffic filterings takes place locally, thus fulfilling the conditions recommended by the NSA for flawless DNS security, and the cloud database is accessed only when there are suspicions regarding potentially malicious domains. This ensures not only ideal DNS security – even over DoH – but also enhanced performance and the lowest system footprint possible.
Furthermore, it uses AI & ML algorithms that can prevent unknown threats from reaching your network and endpoints, and also blocks APTs, data exfiltration attempts, and so on, while making life easier for your system admins. Get in touch today for a demo and experience the DNS security revolution for yourself!