What DoH Can Really Do: Fine-tuning Privacy for any Preference | Webroot

Fine-tuning privacy for any preference

A DNS filtering service that accommodates DNS over HTTPS (DoH) can strengthen an organization’s ability to control network traffic and turn away threats. DoH can offer businesses far greater control and flexibility over their privacy than the old system.

The most visible use of DNS is typically the browser, which
is why all the usual suspects are leading the charge in terms of DoH adoption. This
movement has considerable steam behind it and has extended beyond just
applications as Microsoft,
Apple
and Google
have all announced their intent to support DoH.

Encrypting DNS requests is an
indisputable win for privacy-minded consumers looking to prevent their ISPs
from snooping on and monetizing their browsing habits. Businesses, on the other
hand, should not easily surrender this visibility since managing these requests
adds value, helping to keep users from navigating to sites known to host
malware and other threats.

Here are three examples of how.

1.  By enhancing DNS logging control

Businesses have varying motivations for tracking online
behavior. For persistently troublesome users—those who continuously navigate to
risky sites—it’s beneficial to exert some control over their network use or
even provide some training on what it takes to stay safe online. It can also be
useful in times of problematic productivity dips by helping to tell if users
are spending inordinate amounts of time on social media, say.

On the other hand, for CEOs and other strategic business
units, tracking online activity can be cause for privacy concerns. Too much
detail into the network traffic of a unit tasked with investigating mergers and
acquisitions may be unwanted, for example.

“If I’m the CEO of a company, I don’t want people paying attention
to where I go on the internet,” says Webroot DNS expert Jonathan Barnett. “I
don’t want people to know of potential deals I’m investigating before they
become public.”

Logging too much user information can also be problematic
from a data privacy perspective. Collecting or storing this information in
areas with stricter laws, as in the European Union, can unnecessarily burden
organizations with red tape.

“Essentially it exposes businesses to requirements
concerning how they’re going to use that data, who has access to it and how
long that data is preserved” says Barnett.

By optionally never logging user information and backing off
DNS logging except when a request is deemed a security threat, companies
maintain both privacy and security.

2. By allowing devices to echo locally

With DoH, visibility of DNS requests is challenging. The
cumulative DNS requests made on a network help to enhance its security as tools
such as SIEMs and firewalls leverage these requests by controlling access as
well as corelating the requests with other logs and occurrences on the
network. 

“Let’s say I’m on my network at the office and I make a DNS
request,” explains Barnett. “I may want my DNS request to be seen by
the network as well as fielded by my DNS filtering service. The network gets
value out of DNS. If I see inappropriate DNS requests I can go and address the
user or fix the device.”

Continuing to expose these DNS requests through an echo to
the local network provides this, while the actual requests are secure and
encrypted by the DNS protection agent using DoH. This option achieves the best
of both worlds by adding the security of DoH to the security of the local
network.

3. By allowing agents to fail open

DNS is instrumental to the functionality of the internet. So,
the question is, what do we do when a filtered answer is not available? By
failing over to the local network, it’s assured that the internet continues to
function. However, there are times when filtering and privacy are more
important than connectivity. Being able to choose if DNS requests can leak out
to the local network helps you stay in control by choosing which is a priority.

 “Fail open
functionality essentially allows admins to make a tradeoff between the
protection offered by DNS filtering and the productivity hit that inevitably
accompanies a lack of internet access,” says Barnett.

Privacy your way

The encryption of DoH enables options for fine-tuning
privacy preferences while preserving the security benefits of DNS filtering. Those
that must comply with the needs of privacy-centric users now have control over
what is revealed and what is logged, while maintaining the benefits of
communicating using DoH.

Click here
to read related blogs covering the transition to DNS over HTTPS.