One
of the latest trends in network security and ensuring integrity of
transmissions is DNS over HTTPS, or DOH for short. The DNS (Domain Name Service) translates IP
addresses into human-readable website addresses which is easier to use when
browsing the internet.
Since
being instituted 35 years ago DNS has largely been unprotected. DNS is subject to two significant areas of
risk: Tracking and Spoofing (Clark, 2018). With Spoofing, someone the path of the system
making the query (ie entering in a URL such as www.bellevue.edu
or google.com) has the ability to change the response. This is typically known as DSN spoofing, or
redirecting an IP address to a different (false) website. This depends on the resolver being used, which
isn’t something most people know how to control. While it is an option, most people use what
the network provides for them. Since the
transmission to the DNS server is unencrypted, someone watching the network
traffic could learn the sites the user is requesting to go to and track their
activity. This gets into user privacy
since many organizations will pay top dollar for this kind of internet
activity. A third vulnerability is that
DNS servers themselves could be tracking user activity and be sold on the open
market from Internet Service Providers (ISPs).
DNS
over HTTPS allows DNS queries to be encrypted in transit as it passes through
the multiple nodes to the DNS server.
Think of it as a VPN from the host system to the destination (DNS
Server). This limits the ISP from
tracking website requests and selling them.
It prevents attackers from spoofing domains (malicious websites masquerading
as legitimate) and ensures that a trusted resolver is performing the DNS translation. In the case of Firefox, they’ve selected CloudFlare as their trusted
resolver. Thus, the browser someone uses
needs to be capable of DNS over HTTPS, which Mozilla Firefox and Chrome
currently are.
DoH
isn’t without controversy. Internet
Service Provider (ISP) Comcast is lobbying the government about restricting DoH
so Google and Mozilla doesn’t monopolize and centralize all DNS with one of
their resolvers and not one of the ISPs (Hoffman, 2019). A paper from the SANS Institute seems to
indicate DoH can weaken the cybersecurity posture of an organization as it
limits the network defense team from analyzing DNS packet requests and says, “the
unmitigated usage of encrypted DNS, particularly DNS over HTTPS, could allow
attackers and insiders to bypass organizational controls.” (Hjelm, 2019).
DoH
also bypasses DNS-based blacklists
put in place by security organizations and network teams. This type of encryption is also getting a bad
name from federal security organizations (FBI, etc) who are unable to sniff
traffic from suspected criminals, which will lead to the same issues they’re
having now with unencrypting cell phones and vendors who refuse to comply (with
good reason). The president recently
signed legislation repealing ISP Privacy Rules which restricted ISPs from
tracking internet activity (https://threatpost.com/trump-signs-repeal-of-isp-privacy-rules/124767/). This
appears to be another win for big business lobbyists who make money from user
and location data as well network traffic and then sell it to 3rd
party data aggregators and marketers. Yet
another reason to encrypt DNS queries as well as use a trusted VPN for all
internet activity.
Whether
DoH is adopted or not, unencrypted DNS requests have been one of the largest unmitigated
vulnerability on the internet for decades. Researchers and vendors are also experimenting
with DNS over TLS (https://www.infoblox.com/glossary/dns-over-tls-dot/) and other ways of protecting DNS
queries. There are two different operating
modes for DoT, Strict Mode and Opportunistic Privacy Mode (Saez, 2019.) Strict mode creates a secure TLS connection
and the client authenticates using PKIX certificates based on domain
names. If authentication fails the
server will respond with an error.
Opportunistic privacy mode will switch to UDP port 53 or TCP port 53 if
the initial authentication fails. Strict
mode is safer because it stops after a failed authentication. But this may limit legitimate traffic which
not have traditional authentication methods (Kerberos, or other key-based authentication
server)
As
with all other conversations about encryption, there needs to be a careful
balance between security and privacy and how much government oversight is
ethical for their own citizens.
Resources:
Clark, L., (May 2018), A Cartoon into to DNS over HTTPS, Mozilla.org. retrieved on January 19, 2020 from https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
Hjelm, D., (September 2019), A New Needle and Haystack: Detecting DNS over HTTPS Usage. SANS Reading Room. Retrieved on January 19, 2020 from https://www.sans.org/reading-room/whitepapers/dns/paper/39160
Hoffman, C., (November 2018), How DNS Over HTTPS (DoH) Will Boost Privacy Online. How-to-Geek.
Retrieved on January 19, 2020 from https://www.howtogeek.com/448629/how-dns-over-https-doh-will-boost-privacy-online/
Saez, I., (July 2019), Protect your DNS requests with DNS over TLS. Incibe-cert.
Retrieved on January 19, 2020 from https://www.incibe-cert.es/en/blog/protect-your-dns-requests-dns-over-tls
