Understanding DoH Challenges: A Necessary Step in Improving Network Privacy & Security

Before 1983, finding a resource on the burgeoning collection of networks and computers that would become the internet meant either having to know the IP address or having to reference a manually maintained host file.

DNS, or Domain Name System, was created to provide a better way, one in which users could type in a friendly host name rather than an IP. DNS not only met this need but has also scaled incredibly well — now supporting over 330 million domains. Genius as the solution may be, the original design was not perfect, and privacy and security were left for subsequent revisions. Now 38 years later, it needs to evolve.

In considering what DNS provides, the flaws in privacy become very apparent. If any given individual were to look at their DNS requests, a story unfolds: when they got up in the morning; which websites they visited; collaboration tools used while at work; and even what IoT devices they have set up.

Growing privacy concerns among consumers and businesses alike have prompted change, and DNS has looked to HTTPS to provide its much-needed privacy revamp. DNS over HTTPS (DoH) is just that: DNS encapsulated by HTTPS. DoH offers incredible potential in allowing DNS to be reliably encrypted just like all other HTTPS traffic.

However, privacy often comes at the cost of security, and with DoH there are potential consequences. Organizations must be prepared, both to leverage the advantages and to avoid possible pitfalls.

Recognizing the Pros and Cons of DoH

Before digging into the issues presented by DoH, let’s recognize the protocol’s strengths. It provides DNS in the same way users already trust when navigating the internet — such as connecting to a banking website or completing an online transaction. It verifies the server is the one that was requested and securely communicates so that the traffic cannot be intercepted or corrupted. Further, DoH leverages port 443, making DNS resolution secure and reliable.

Earlier this year the National Security Agency (NSA) issued recommendations for securely adopting encrypted DNS, recognizing both the growing interest in securely protecting DNS and also the difficulties that may present in controlling it. DoH is hard to control because IT teams or admins can no longer just inspect DNS traffic or shut off port 53 to undesirable servers.

Now DoH allows DNS resolution to happen privately over port 443. This means DNS resolution is not solely under the purview of the OS as applications can now independently and directly obtain resolution whenever the internet is available. This may appear to be a win for the user, but important information about threats — as well as the ability to add protection through filtering — is lost.

Additionally, when applications make their own rogue DNS requests, not only do IT teams lose visibility, but also control as the DNS configuration on their system is not being honored. This can lead to incorrect DNS resolution causing intranet lookup failures. It can even be a mechanism for data exfiltration — all courtesy of this new encrypted pathway.

Staying in Control of DNS

The NSA recommends that all DNS traffic be sent only to a designated resolver and that all other resolvers should be disabled or blocked. This might sound simple enough, but the challenge lies in complying with this advice as DNS traffic is now encrypted over the same port as HTTPS. As port 443 traffic makes up the majority of internet interactions, it can’t simply be blocked, so other actions must be taken to meet NSA’s recommendations.  

One option is to deploy a firewall that can inspect HTTPS traffic. Unfortunately, this is generally expensive and requires a powerful device as the firewall is inserting itself into the traffic, decrypting and then re-encrypting to do so. Also, many websites balk at this behavior and thus do not work smoothly. Further, this option only protects devices behind the firewall and, given the hybrid environment we live in these days, would only have limited effectiveness.

How about VPNs? They have the potential to effectively pull users behind the firewall when remote. However, VPNs can also add complexity and cost, and can be detrimental to performance. Although VPNs are encouraged for the many remote workers connecting to corporate networks, they are used inconsistently by users. Companies are actively moving away from VPNs as many of their needed resources are now available in the cloud.

Another possibility is to control access to DoH providers. If we could identify and stop DoH connections, then applications would be forced to use the local system for DNS resolution. The challenge with this is having timely and contextual intelligence while also being able to apply it to any system on any network.

Blending DoH with Security

What we need is a way to take advantage of the strengths of DoH, while avoiding the pitfalls. The right solution uses the encryption and stability provided by DoH, while ensuring the only defined DNS resolvers are available. This must be done without losing visibility to the requests, be that echoing them to a SIEM or logging them for reporting.

Looking for a Solution

Fortunately, DoH has been in the wings for some time and tools are becoming available to help. Currently, the number of applications taking advantage of DoH are still few and primarily relegated to browsers like Mozilla Firefox and Google Chrome. This is changing as other applications begin to see the benefits and more DoH providers spring up.

Given the outlook for DoH, organizations will need to invest in DNS solutions that simplify how to manage DoH, while providing the needed visibility and intelligence that would otherwise be lost.

For more information, download the whitepaper “Make DoH Work for You.”