Understanding and Managing New DNS Privacy Challenges

Infoblox

David Ayers, Senior Product Marketing Manager, Infoblox

Securing your DNS infrastructure has never been more critical: over 90 percent of malware incidents and more than half of all ransomware and data theft attacks rely on the DNS vector. The original DNS design over 30 years ago did not take security into account, as queries were generally sent unencrypted. Besides monitoring the IP address that users were visiting, any party between the browser and the resolver can discover which websites users sought–even if the content delivered from the website is encrypted. DNS queries can also be hijacked or spoofed, diverting users from intended to malicious websites.

DoT and DoH to the Rescue

Two recent and evolving technologies designed to improve DNS privacy are making significant headway. Leading technology companies, including browser organizations and computer hardware and software vendors, have announced go-live plans for introducing DNS privacy in their respective applications and operating systems.

Both technologies work by encrypting the DNS communication between your operating system's (or individual application's) stub resolver and your recursive DNS resolver.

• DNS over TLS (Transport Layer Security), aka "DoT," uses the common Transmission Control Protocol (TCP) to layer over TLS encryption and authentication between a DNS client and a DNS server. Functioning at the operating system level, it communicates over TCP port 853.
• DNS over HTTPS, aka "DoH," leverages the security protocol extension HTTPS to provide encryption and authentication between a DNS client and server.

Enterprise and Service Provider Impacts

While these new DNS privacy initiatives are necessary, they can inadvertently bypass enterprise DNS solutions to some extent – exposing enterprises to unexpected risks, break mission-critical applications, slow browser performance, and hurt subscriber/user experiences.

DoH uses explicitly the same TCP port (443) that all HTTPS traffic uses, potentially hampering and DoH-related DNS troubleshooting because of the inability to distinguish DoH-based DNS requests from regular HTTPS requests. Organizations employing DNS monitoring to block DNS requests to known malicious domains may not see these requests. Hence, malicious traffic may go undetected.

Also, DoH operates at the application layer rather than the operating system, introducing browser and app traffic to bypass enterprise DNS controls. This could hamper the support team's ability to maintain network performance, security, scale, and reliability that enterprises demand from DNS. How will support agents handle situations where applications running on user equipment might behave differently from a web browser or an application running on the user equipment OS?

Infoblox Solutions

Infoblox maintains that circumventing internal DNS infrastructure is against best practices. Organizations can take steps now to reduce the risks these technologies pose. An excellent place to start is by blocking direct DNS traffic—including DoT and DoH—between internal IP addresses and DNS servers on the Internet. Additionally:

• BloxOne^™ Threat Defense blocks resolution to DoH domains and facilitates a graceful fallback to existing internal DNS.
• Support for DoT and DoH will also be added to an upcoming NIOS release. This capability will enable customers to encrypt last-mile DNS communications between their endpoints and DNS servers regardless of which protocol the endpoint supports.