In a separate blog post, Cricket covered the last-mile security problem for DNS, solutions developed by the IETF, and our recommendations to enterprise administrators. You should read that post before reading this post . This blog post will cover the security risks, competitive, user experience, and legal impacts to Service Providers and Regulators and Enumerate Infoblox recommendations.
Concerns for Service Providers and Regulators
LTE networks are not immune to the last-mile security problem in DNS. Last year a team of academics at Ruhr University Bochum and NYU demonstrated an attack that can hijack DNS on LTE networks. DoT and DoH are both possible solutions to this. The full writeup of the attack is posted at https://alter-attack.net/
Cloud DNS providers create numerous competitive, user experience and legal concerns. Some are owned by content delivery networks and other large technology companies. The cloud DNS providers may be direct competitors to the service provider or each other. The SP and regulator may have little or no influence over commercial issues between the cloud DNS provider and their competitors or customers. Competitors could choose to route each other’s traffic to slower-responding sites or take other liberties with the user experience. DNS is the first message in most IP conversations, so low latency is critical to user experience. Routing DNS off the SP network will always make the DNS experience slower. Several cloud DNS providers are being actively misleading in their marketing of DNS response time. Service providers could address this by publishing comparative DNS latency statistics. Cloud DNS services are implemented worldwide. This means the DNS traffic can be subject to observation, spying or other alteration based on legal orders from governments outside of the service provider’s territory. Blocking resolution of malicious and illegal content is a major concern. Implementing these regulatory obligations is challenging or impossible when there is no business relationship or legal authority over a company outside of the service provider’s network or legal territory. Customer use of cloud DNS services also prevents the service provider from offering subscriber-facing services like parental control or security services over DNS.
DNS over HTTPS creates unique support problems for the service provider. DoH traffic is indistinguishable from regular HTTPS traffic. The most common implementation of DoH occurs between the browser and a cloud DNS provider, not the OS resolver and the SP’s DNS service. It’s important to have support teams trained to identify if DoH clients are installed or browser-level settings have been altered. This could result in an app on User Equipment(UE) that behaves differently when run via the browser or in the UE OS. The SP’s support team could also examine local and network-based logging systems to determine if known DoH server addresses have been accessed by the UE recently.
Recommendations for Service Providers
For the above reasons, Infoblox recommends direct implementation of DoT by mobile and fixed providers. Now is the time to start planning for CY 2020 implementation. To prepare for this, Infoblox suggests working with UE software and hardware makers in the following areas:
- DoT support in UE operating systems according to RFC 7858 and RFC 8094. Thus far, the only OS-level implementations of DoT are in systemd-resolved and Android 9.
- DoT support in UE profiles, per RFC 8310. This requirement should be extended to network equipment vendors via DHCP or other device profiles. When this is enacted, it should override any user-based settings for DoT or DoH while the device is on the SP’s network and not connected to outside WiFi or other alternate connectivity.
- Allow blocking of unapproved DoH/DoT applications as a part of the carrier profile.
- These requirements should be a part of the service provider’s UE certification process and should be addressed before a new UE is allowed on the network.
- Special attention should be given to IoT device makers. IoT devices can have extended lives and be the most susceptible to attack and misuse.
Recommendations for Regulators
Infoblox recommends regulators work with the service providers and their vendors to ensure adoption of DNS over TLS. Unlike with enterprises, it is not often feasible or realistic to block access to known cloud DNS providers. What can be done is to actively support standards that are beneficial to the citizens under your oversight. Direct influence of the user and network equipment makers doing business in your territory is critical. Regulators should directly support the adoption of standards favorable to the privacy of your citizens, that are supportable by your service providers, and don’t prevent the service provider from blocking access to illegal or malicious content. In some cases, it may be appropriate to block specific cloud DNS services at the territory level. Infoblox recommendations for enterprises cover the specifics of that here.
Summary
The last-mile problems with DNS exist even on service provider networks. Cloud-based DNS competitors pushing DoH adoption present many concerns. Direct DoT adoption by service providers with the support of local regulations is the best response.
