Author: Eric Patterson
TLP:WHITE
1. Executive Summary
On 15 January, the National Security Agency (NSA) released an informational cybersecurity whitepaper for Adopting Encrypted DNS in Enterprise Environments.1,2 The paper outlines a growing shift away from the traditionally unencrypted Domain Name System (DNS) queries to DNS over HyperText Transport Protocol over Transport Layer Security (HTTPS), also known as DoH. DoH enhances security of an enterprise’s query/response traffic from DNS resolvers to clients, but because of its encrypted nature, can shield important information from an enterprise’s security stack if not configured correctly.
Enterprises should also be aware that DoH is not the only encrypted DNS protocol that exists; DNS over Transport Layer Security (TLS) known as DoT and DoH that makes use of a proxy, known as Oblivious DoH, are other methods of encrypting DNS traffic. Implementing the mitigations below will also apply to securing DoT and Oblivious DoH.
NSA also notes that for home or mobile users and those that do not use DNS security products, DoH can be beneficial for safeguarding DNS queries/responses from unauthorized passive monitoring.
2. Prevention and Mitigation
To help secure the use of DoH, NSA released a set of recommendations for those in enterprise IT environments. The list is by no means exhaustive:
- Avoid a false sense of security – DoH is not an end all be all security solution. DoH is only designed to encrypt the query/response traffic from a client to DNS resolver and does not extend beyond that to other Internet traffic. Maintaining other security safeguards to prevent cyber attacks is still a necessity for enterprises.
- Only use the enterprise DNS resolver and disable all others – Create enterprise network/firewall rules that block/deny access to known DoH resolvers and establish a set of trusted DoH resolvers within the enterprise to handle client queries.
- Block unauthorized DoH resolvers and traffic – Block unauthorized DoH and DoT traffic and resolvers to mitigate unauthorized resolver usage from outside devices connecting to the enterprise network (e.g. “bring your own device” or BYOD). Additionally, for applications that have native DoH capabilities (e.g. Firefox, Chrome, etc.), create enterprise policies that either disable this feature or force the applications to use enterprise-managed internal DoH resolvers.
- Utilize host and device DNS logs – Purely relying on network monitoring tools for DNS traffic inspection will be insufficient. Incorporating DNS logging on all devices and including threat reputation services can help increase visibility and traffic filtering.
- Consider a virtual private network (VPN) for additional privacy protection – To mitigate concerns about passive surveillance, especially with the recent push of remote working, use VPNs with current TLS versions.
- Validate DNSSEC and use protective DNS capabilities – Establish security (e.g. DNSSEC) around the DNS process not protected by DoH and ensure enterprise DNS resolvers validate those parts of the process.
- Disable DoT traffic traffic by blocking port 853 – DNS-over-TLS uses the dedicated TCP port 853 and enterprises can block and log this traffic at the network perimeter.
Endnotes
- https://media.defense.gov/2021/Jan/14/2002564889/-1/-1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF
- https://www.icann.org/en/system/files/files/sac-109-en.pdf
