SUBSCRIBE SIGN IN

DOH! —

The NSA warns enterprises to beware of

third-party DNS resolvers
Yes, plaintext DNS is insane, but encrypting it has its own tradeoffs.
DAN GOODIN - 1/15/2021, 9:58 AM
Getty Images

Enlarge

DNS over HTTPS is a new protocol that protects domain-lookup traffic from eavesdropping and
manipulation by malicious parties. Rather than an end-user device communicating with a DNS server
over a plaintext channel—as DNS has done for more than three decades—DoH, as DNS over HTTPS is
known, encrypts requests and responses using the same encryption websites rely on to send and
receive HTTPS traffic.

Using DoH or a similar protocol known as DoT—short for DNS over TLS—is a no brainer in 2021, since
DNS traffic can be every bit as sensitive as any other data sent over the Internet. On Thursday,
however, the National Security Agency said in some cases Fortune 500 companies, large government
agencies, and other enterprise users are better off not using it. The reason: the same encryption that
thwarts malicious third parties can hamper engineers’ efforts to secure their networks.

“DoH provides the benefit of encrypted DNS transactions, but it can also bring issues to enterprises,
including a false sense of security, bypassing of DNS monitoring and protections, concerns for
internal network configurations and information, and exploitation of upstream DNS traffic,” NSA
officials wrote in published recommendations. “In some cases, individual client applications may
enable DoH using external resolvers, causing some of these issues automatically.”

DNS refresher
More about the potential pitfalls of DoH later. First, a quick refresher on how the DNS—short for
domain name system—works.

When people send emails, browse a website, or do just about anything else on the Internet, their
devices need a way to translate a domain name into the numerical IP address servers use to locate
other servers. For this, the devices send a domain lookup request to a DNS resolver, which is a server
or group of servers that typically belong to the ISP, or enterprise organization the user is connected
to.

If the DNS resolver already knows the IP address for the requested domain, it will immediately send it
back to the end user. If not, the resolver forwards the request to an external DNS server and waits for
a response. Once the DNS resolver has the answer, it sends the corresponding IP address to the
client device.

The image below shows a setup that’s typical in many enterprise networks:
NSA

Enlarge
Astonishingly, this process is by default unencrypted. That means that anyone who happens to have
the ability to monitor the connection between an organization’s end users and the DNS resolver—say,
a malicious insider or a hacker who already has a toehold in the network—can build a comprehensive
log of every site and IP address these people connect to. More worrying still, this malicious party
might also be able to send users to malicious sites by replacing a domain’s correct IP address with a
malicious one.

A double-edged sword
DoH and DoT were created to fix all of this. Just as transport layer security encryption authenticates
Web traffic and hides it from prying eyes, DoH and DoT do the same thing for DNS traffic. For now,
DoH and DoT are add-on protections that require extra work on the part of end users of the
administrators who serve them.

The easiest way for people to get these protections now is to configure their operating system (for
instance Windows 10 or macOS), browser (such as Firefox or Chrome), or another app that supports
either DoH or DoT.

Thursday’s recommendations from the NSA warn that these types of setups can put enterprises at
risk—particularly when the protection involves DoH. The reason: device-enabled DoH bypasses
network defenses such as DNS inspection, which monitors domain lookups and IP address responses
for signs of malicious activity. Instead of the traffic passing through the enterprise’s fortified DNS
resolver, DoH configured on the end-user device bundles the packets in an encrypted envelope and
sends it to an off-premises DoH resolver.

NSA officials wrote:

Many organizations use enterprise DNS resolvers or specific external DNS providers as a key
element in the overall network security architecture. These protective DNS services may filter
domains and IP addresses based on known malicious domains, restricted content
categories, reputation information, typosquatting protections, advanced analysis, DNS
Security Extensions (DNSSEC) validation, or other reasons. When DoH is used with external
DoH resolvers and the enterprise DNS service is bypassed, the organization’s devices can
lose these important defenses. This also prevents local-level DNS caching and the
performance improvements it can bring.

Malware can also leverage DoH to perform DNS lookups that bypass enterprise DNS
resolvers and network monitoring tools, often for command and control or exfiltration
purposes.

There are other risks as well. For instance, when an end-user device with DoH enabled tries to
connect to a domain inside the enterprise network, it will first send a DNS query to the external DoH
resolver. Even if the request eventually fails over to the enterprise DNS resolver, it can still divulge
internal network information in the process. What’s more, funneling lookups for internal domains to
an outside resolver can create network performance problems.

The image immediately below shows how DoH with an external resolver can completely bypass the
enterprise DNS resolver and the many security defenses it may provide.
NSA

Enlarge

Bring your own DoH

The answer, Thursday’s recommendations said, are for enterprises wanting DoH to rely on their own
DoH-enabled resolvers, which besides decrypting the request and returning an answer also provide
inspection, logging, and other protections.

The recommendations go on to say that enterprises should configure network security devices to
block all known external DoH servers. Blocking outgoing DoT traffic is more straightforward, since it
always travels on port 853, which enterprises can block wholesale. That option isn’t available for
curbing outgoing DoH traffic because it uses port 443, which can’t be blocked.

The image below shows the recommended enterprise set up.

 NSA

Enlarge

DoH from external resolvers are fine for people connecting from home or small offices, Thursday’s
recommendations said. I’d go a step further and say that it’s nothing short of crazy for people to use
unencrypted DNS in 2021, after all the revelations over the past decade.

For enterprises, things are more nuanced.

Promoted Comments
arsreader808 / Smack-Fu Master, in training / et Subscriptor JUMP TO POST

The few sentences at the end sum it up pretty nicely, for home users, especially the ones on
snooping ISPs, this is a no brainer (maybe switch the resolver to not Google if you don't
want to just replace ISP snooping with ad-giant snooping) but for enterprises, this sucks
hard.
Especially now with BYOD getting more popular, blocking this kind of traffic and forcing
clients to use internal DNS resolvers as well as enforcing checks on DNS traffic becomes
much harder.
We are currently blocking the DoH MIME types on the web proxy and have a block list for
known DoH resolvers on the firewall, but man this feels like a fragile 'solution'.
FF at least allows you to return a DNS response to disable DoH, but this is crap too, as an
ISP could do exactly the same...

However, we could view this as a trial run to come up with new solutions/ideas around
 security in enterprise settings in regards to devices you do not fully control. Once 5G takes
off, most devices will no longer just follow one controllable network path but will likely
always have a backup option to circumvent network policy enforcement.

1 post | registered 4/2/2020

simplepurple / Ars Centurion / et Subscriptor JUMP TO POST

I block DoH on my network as much as I can, and force DNS and DoT to use my local
resolver.

I also do DoT to an outside DNS provider, but to be honest I'm not convinced that there's
much value in doing so. Outside parties like your ISP can still see what IP addresses you're
going to, and there are many other ways of figuring out what you or your users are doing.

When IPv6 eventually replaces IPv4 I expect there to be less name-based hosting, so an IP
address might be more likely to identify a single site.

Deep down, I do feel that it's a good idea to use DoT. (I don't feel that DoH is a good idea in
most cases.) However, is the use of encrypted DNS just "security theater" like many people's
use of VPN services is?

There aren't any silver bullets in security, and you have to do the hard stuff to protect
yourself or your organization, not just the easy stuff. Turning on DoT or DoH is an easy step,
but it may not help you if you neglect the hard steps.

Encrypted DNS is a good first step, but it has to be done together with a lot of other stuff.
You also have to remember that, with the current technology, you may just be shipping off
your privacy to someone else. Then you have to ask if you trust this person or organization.

It's similar to the VPN services that are so popular (and lucrative for the providers). Yes,
you're blocking some portion of your traffic from view by your ISP. You're exposing it to your
VPN provider though, and thus just passing the security football down the line a bit.

A lot of this stuff, including encrypted DNS and VPN services, may not do you an awful lot of
good if a nation-state or law enforcement are interested in you. I don't really worry about
that kind of thing, but it's something that people should keep in mind so they don't get a
false sense of security.

That false sense of security is then central to what I'm saying. Don't just jump on a few
things you can do and then get a false sense of security. If you're a whistleblower or an
activist in an area with a repressive government, you're going to need more than encrypted
DNS or a VPN.

423 posts | registered 8/13/2019

READER COMMENTS 107