Contents:
A few days ago, the United States’ National Security Agency (NSA) released a report meant to sound the alarm for organizations who are relying on DNS-over-HTTPS (DoH) as their basic DNS security strategy. While the NSA concedes that there are benefits to enabling DoH, they warn that there are also plenty of risks that are typically overlooked.
We politely disagree. As DNS security experts at the forefront of innovations achieved in the field for the past few years, Heimdal™ product engineers have always been aware of the limitations of DoH, but that did not stop us from finding ways to safely integrate it into our threat prevention solutions. Precisely because we are aware that DoH is not enough to guarantee cyber-safety, by itself, and that it can create some compatibility issues with basic DNS security solutions that are centered around traditional DNS, our innovations addressed it directly.
The cybersecurity solutions we have for DNS, HTTP, and HTTPS layers have been built with issues such as the ones potentially caused by DoH in mind. So we know first hand that DoH is not an obstacle to DNS security if the creators of your DNS security suite know what they are doing.
Here’s what the NSA says about DoH, in a nutshell, and what we have to say about it.
What the NSA Says about Using (Solely) DoH
The main risk of DNS-over-HTTPS, according to the latest NSA report, is that it promotes a false sense of security to organizations that adopt it, thinking it is enough to secure their DNS.
“DoH is not a panacea”, the NSA report states.
Furthermore, it’s not just that organizations believe they are more secure when implementing DNS-over-HTTPS and forego other protection layers that should be mandatory for securing their DNS traffic. DoH isn’t just not very effective as a defense, but can also actively lower the other defenses of the organization in question.
When DoH is deployed inside company networks, it can be used by malicious third parties to bypass many of the built-in security tools that rely on sniffing out classic (plaintext) DNS traffic to detect potential threats. Moreover, many DNS resolvers that function on DoH protocols are externally hosting their servers, taking them outside the enterprise’s ability to audit and control it.
The NSA recommends that all companies should not give over their DNS traffic to externally-hosted resolvers and instead make sure their DoH-capable resolver is internally hosted and under their control. So, adopting simple DoH as an enterprise security strategy for your DNS is an exceptionally bad approach.
You can read the full NSA report here: Adopting Encrypted DNS in Enterprise Environments.
Why Indeed DNS over HTTPS (DoH) Is Limited
We agree that DoH can be limited and is not a Holy Grail of DNS security when used by itself.
But we are way more optimistic than the NSA in regards to finding a place for DoH in the DNS security architecture of the future. In fact, we believe that DoH, when approached correctly, is a must-have component of a solid DNS security strategy.
DNS-over-HTTPS can have many advantages when you approach it correctly. It’s definitely more secure, in principle than the default previous internet protocols. It can even be construed as a possible replacement for VPNs.
While the traditional DNS protocol shared its requests and responses in plain text, easily attackable by malicious third parties, DNS-over-HTTPS communicates those in an encrypted form, making it harder for attackers to use DNS for breaches.
Simply by adopting DoH, your connection is already benefitting from an unprecedented default level of privacy and data protection. Since it came out, DoH was poised to be the new golden standard for DNS communications. In theory.
Unfortunately, just because this new encryption standard for DNS connections was issued, that doesn’t mean malicious activity didn’t also evolve to new heights. DoH makes it harder for attackers to target your organization, but it doesn’t make it impossible.
But, like the NSA also warns, many corporate decision-makers who are not exactly cybersecurity experts believe that adopting DoH is enough to keep any possible intrusion at bay. The true danger of DoH lies precisely in this false sense of security associated with its adoption.
Here is what the NSA report says, and in this regard, we do agree with them:
“While DoH can help protect the privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networks unless they allow only their designated DoH resolver to be used. These essential protective DNS controls can prevent numerous threat techniques used for initial access, command, and control, and exfiltration, such as phishing links to malicious domains, connections using dynamic name resolution, and commands hidden in DNS traffic”, says the NSA report.
Potential Risks in Relying on DoH Alone as a Source of DNS Security
We understand where the NSA report is coming from. Because DoH is still safer than traditional, unencrypted DNS (HTTP requests), many DoH adopters falsely feel safe. That is the actual source of the risk: the incorrect assumption that just by adopting DoH, you are now safe. We agree that relying on DoH alone is risky, though we still consider it better than no DoH and no other DNS security measure at all.
Here are some of the significant cybersecurity risks derived from relying solely on DNS-over-HTTPS for as a DNS security strategy within an organization.
#1. ISPs are not fully prevented from accessing the organization’s DNS requests
Technically, DoH ensures that the Internet Service Provider (ISP) can’t see the user or organization’s DNS requests, since they are now encrypted. Actually, since DNS is not the only protocol involved in web browsing, this doesn’t mean that there are still plenty of unprotected data that can allow an ISP (or malicious third parties) to track what users and endpoints are browsing.
There are still plenty of websites out there using HTTP (instead of HTTPS), which renders a company-wide DoH pointless. Furthermore, some parts of the DoH protocol (SNI fields and OCSP connections) are still incomplete and therefore unencrypted, which can still expose the organization’s DNS records to intrusion and exploits.
#2. Accessed IPs are not hidden by DoH
Furthermore, the final destination’s IP address can’t be hidden from ISPs or from malicious third parties sniffing out your organization’s DNS activity. Even if IPs are not completely assignable to a particular website (in theory), independent cybersecurity research has proven that third parties can identify which websites are accessed just by looking at IPs, with a staggering 95% accuracy.
Any part of your DNS communications left exposed is one more vector of attack for malicious third parties looking to compromise your organization.
#3. DoH makes DNS hijacking more difficult
In an organization where DoH is implemented but that’s about it as far as DNS security measures go, system admins need to constantly monitor DNS settings and queries for potential DNS hijacking attacks.
DNS hijacking is a type of DNS spoofing where attackers manage to ‘fool’ your endpoints and network that they are connecting to a legitimate domain, when in fact they are connected to a malicious server bound to infect the organization.
This is easily prevented by a reliable DNS traffic filter (our Heimdal™ DarkLayer Guard™ & VectorN Detection™), but also by the constant work of system admins to monitor the DNS settings across multiple operating systems, apps, etc.
Unfortunately, even if an organization opts to rely on the constant work of system admins, DoH makes it way harder for them to perform this monitoring work. Since admins need to track DNS requests across so many systems and apps with differing settings, DoH dramatically multiplies that work.
The NSA report states that
“Even if not formally adopted by the enterprise, newer browsers and other software may try to use encrypted DNS anyway and bypass the enterprise’s traditional DNS-based defenses.”
Essentially, that means that DoH, even if not adopted, will cripple enterprise defenses that previously worked, if not complemented by a next-gen DNS traffic filtering solution.
Best Practices for Securing Your Organization’s DNS (Despite NSA Warnings against Using DoH):
Here is how to build a sound DNS security approach for your company following the NSA recommendations.
#1. DoH is a good idea. Here is why.
Like it or not, DoH is here to stay, since it’s all over the internet and can’t be avoided if you tried.
You can even enable it in your organization. By all means, you should not be deterred from enabling DoH in your organization if its advantages are a good fit for your systems. I wrote a previous guide on the best practices for enabling DNS-over-HTTPS and you can start from there to make sure you have the best mindset to start.
Just because the NSA warns against using DoH, that doesn’t mean that DoH is a bad idea all the time. You just need to employ other sound security layers to your DNS as a whole, and not be lulled into that false sense of complete security after enabling DoH.
#2. Enhance your DNS security with a truly proactive solution
In perilous times like these, when attacks are getting more and more complex, targeted, and intelligent, you need a DNS security solution that can protect you against all that.
The NSA report states that:
“Many organizations use enterprise DNS resolvers or specific external DNS providers as a key element in the overall network security architecture. These protective DNS services may filter domains and IP addresses based on known malicious domains, restricted content categories, reputation information, typosquatting protections, advanced analysis, DNS Security Extensions (DNSSEC) validation, or other reasons. When DoH is used with external DoH resolvers and the enterprise DNS service is bypassed, the organization’s devices can lose these important defenses. This also prevents local-level DNS caching and the performance improvements it can bring.”
So, another problem brought about by enabling DoH is that it can render the protection capabilities of DNS traffic filters almost useless, when those filters are acting externally, as in the DNS traffic gets sorted out outside the organization. Cloud-based DNS security solutions fall into that category, becoming less effective due to DoH, as the NSA report shows.
Our Heimdal™ Threat Prevention security solution is ideal for securing your DNS, thanks to its unique Bloom filter, using an advanced algorithm that ensures optimal performance with a glocal database. All of the DNS traffic filterings takes place locally, thus fulfilling the conditions recommended by the NSA for flawless DNS security, and the cloud database is accessed only when there are suspicions regarding potentially malicious domains. This ensures not only ideal DNS security – even over DoH – but also enhanced performance and the lowest system footprint possible.
Furthermore, it uses AI & ML algorithms that can prevent unknown threats from reaching your network and endpoints, and also blocks APTs, data exfiltration attempts, and so on, while making life easier for your system admins. Get in touch today for a demo and experience the DNS security revolution for yourself!