As you may have read in some of our recent blogs or even on the web, there has been a big debate over how to best implement DNS privacy between two relatively new technologies designed to address “last mile” security problems stemming from the fact that communications between DNS clients and their local DNS servers are almost unencrypted and therefore subject to spoofing and more problems. Let’s talk about one of these technologies: DoH.
First, a brief primer—DNS over HTTPS (DoH) has been backed by the Mozilla Foundation and the chromium projects. It is a new IETF security protocol that leverages HTTPS to provide encryption and authentication between a DNS client and server. One of the potential problems with DoH is that it uses the same TCP port (443) that all other HTTPS traffic uses. Many of the big public recursive DNS providers, including Google DNS, Cloudflare, and Quad 9, now support DoH as part of their DNS service. Mozilla and Chromium late last year implemented DoH in Firefox and Chrome browsers respectively, and although some countries within Europe have requested that DoH not be enabled by default, in many parts of the world users may soon have the ability to configure their browsers to transmit DNS requests to these trusted recursive resolvers (note that Mozilla users can already utilize DoH now within the United States).
If uncontrolled, DoH has the potential to increase exposure to data exfiltration and malware proliferation. Cybercriminals often use DNS as a backdoor to obtain an export trade-sensitive information and to spread malware through command and control (C&C) communications with devices. The DoH DNS request is encrypted and, therefore, invisible to third parties, including cybersecurity software that may rely on passive DNS monitoring to block requests to known malicious domains. Typically, security teams can stop these attacks effectively by using threat intelligence on internal DNS infrastructure, combined with analytics based on artificial intelligence and machine learning. Since DoH bypasses these DNS security measures, there is new potential for enterprises to become exposed to these and other DNS based filters.
Here are a few recent examples. In mid-2019, it was reported on various outlets that malware strains had been released that were taking advantage of the DoH protocol. Named Godlua, the malware was working as a DDoS bot. According to outlets such as ZDNet, DoH was the vehicle used to retrieve the TXT record of a domain name where the URL of the C&C server was being stored for later communications. Then late in December 2019, Infoblox’s own Cyber Intelligence Unit created its first report about a malware strain that uses DoH to resolve C&C domains. Here, a threat actor was using Google’s DoH service to resolve the domain name of its C&C servers to later deliver PsiXBot via the Spelevo exploit kit—stealing information and adding systems to its botnet. What interesting is that the campaign used malicious advertisements (malvertisements) that were placed on legitimate websites to direct user browsers to the malicious domain hosting the exploit.
You might be asking yourself— is he trying to say that DoH a bad thing? Not at all, but this a new protocol that presents a different spin on things. DNS has behaved in the same way for years, and any changes to foundational protocols such as this always create ripples. DoH is a new and evolving privacy option that helps solve a longstanding issue with DNS’s last-mile security problem, but the concept of control remains essential. Anything that circumvents your DNS infrastructure is a bad idea. If you are not prepared to address DoH at this time, you should take some steps to maintain control of your DNS to mitigate any unforeseen issues. An excellent step to take now is to block direct DoH traffic between internal IP addresses and DNS servers on the internet. This will help you maintain control by ensuring that end-users still use your DNS infrastructure and be subject to IT DNS policies.
Also, we announced in late February enhancements to BloxOneTM Threat Defense, our hybrid foundational security solution that uses DNS as the first line of defense. BloxOneTM Threat Defense can now block resolution to DoH domains and facilitate a graceful fallback to existing internal DNS —which helps prevent DoH misuse and mitigates risk. In addition to policy threat intelligence feeds for DoH, we added a DoH-Policy feed for known DoH IPs and DoH domains to the Threat Intelligence Data Exchange. From our threat intelligence aggregation and distribution platform, this feed can then be used by other security tools like NGFWs to block DoH traffic to external servers.
You can also educate yourself about Infoblox’s best practices on other Infoblox Community blog posts to learn about these evolving technologies and Infoblox solutions.