Share this
What The NSA’s Advice on Encrypted DNS Really Tells Us
by Peter Lowe on Feb 5, 2021 12:00:00 AM
The NSA has recently released advice on the adoption of encrypted DNS in enterprise environments.
Encrypted DNS: The NSA’s opinion on DoH
While the title of this blog implies it deals with encrypted DNS in general (and there's a brief mention of DNS-over-TLS (DoT)), the advice mainly deals with the use of DNS-over-HTTPS (DoH).
It's a fairly concise document—for a government organization, 7 pages is almost a press release—so I'll leave it up to you to read the whole thing. But there are some interesting points made in there about DoH that might not be obvious if you're not so familiar with the topic.
Their list of issues with DoH is a pretty good summary of concerns:
- A false sense of security
- Bypassing DNS monitoring and protections
- Concerns for internal network configurations and information
- Exploitation of upstream DNS traffic
The most important concern for our customers is the second here: bypassing DNS monitoring and protections.
The way that DoH is implemented—or in the process of being implemented—right now is all over the place: At the operating system level, at the application level, sometimes upgraded automatically, sometimes not, and the prevention or signaling mechanisms are in no way standardized. Since DoH works by tunneling DNS traffic over HTTPS, it makes it non-trivial to detect and block.
The upshot is that if you have, let's say, an excellent DNS filtering provider in place, a real concern is that DoH is going to bypass the great value and top notch protection (ahem) you're paying for.
The NSA and third party resolvers
The headline most news sites have gone with focuses on a key takeaway: "Only use the enterprise DNS resolver and disable all others". What they're saying here is not that all external DNS resolvers are bad—just that you should control what goes in and out of your network.
For our customers, this effectively means sticking with the local relay (which would be the enterprise resolver in this instance) to funnel DNS requests through to our servers.
It's an interesting piece of advice from an organization famous for its desire to inspect all network traffic. There's a whole discussion of whether or not their motivations are mostly self-serving or not, but the recommendation is basically solid.
For DNSFilter customers, the best way to prevent DoH from being used is to block the Proxy & Filter Avoidance category. This stops any initial communication to DoH servers from taking place. For example, Firefox will be unable to contact a valid DoH server to start using it if the DoH server itself is blocked. Ultimately there's no real way to block a really determined actor from hiding their traffic, but this is an effective way of stopping the automatic use of DoH.
I think the real significance of this article is the fact that the NSA has released it at all. There's nothing really new in the document, and most people following the topic will be aware of the issues and blocking strategies discussed. But for a huge three-letter agency to put this out there, it signals a public acceptance that there are definite issues to be addressed with DoH as it stands.
My hope is that this acknowledgement will give a bit of a kick to some of the bigger players in the space. We need a proper DNS discovery protocol and mechanism for disabling it—or really, for enabling it, as it really shouldn't be automatically enabled.
And perhaps this might encourage companies to listen to the people who have already been voicing their concerns over DoH. They’ve been banging their drums about opt-in by default, lack of a discovery mechanism, and even the potentially negative impact on international policies. So far though, most of these issues have effectively been steamrolled over.
But that's a whole other blog post on its own.
For further reading on the downsides of DoH, check out my previous article.
Don't miss our upcoming webinar on February 17 all about DoH and DoT.
Share this
Categories
- Featured (265)
- Protective DNS (22)
- IT (15)
- IndyCar (9)
- Content Filtering (8)
- Cybersecurity Brief (7)
- IT Challenges (7)
- Public Wi-Fi (7)
- AI (6)
- Deep Dive (6)
- Malware (4)
- Roaming Client (4)
- Team (4)
- Compare (3)
- MSP (3)
- Phishing (3)
- Tech (3)
- Anycast (2)
- Events (2)
- Machine Learning (2)
- Ransomware (2)
- Tech Stack (2)
- Secure Web Gateway (1)
Earlier this month I joined Mikey Pruitt, our Global Partner Evangelist, on the DNSFilter podcast dnsUNFILTERED to discuss my 2025 cybersecurity predictions. We had a lot of fun and covered all of the points I’ll outline here, but I wanted to go deeper. My 30 years of cybersecurity experience have given me a strong sense of where we’re heading as an industry—the shift to the cloud in many ways is a precursor in the adoption of AI and the future...
Most businesses only think about DNS security after an attack has already occurred. By then, the damage is done - downtime, lost revenue, compromised data, and a tarnished reputation. In an environment where cyber threats are constantly evolving, a reactive approach to DNS security simply isn’t enough.
Customer experience is the secret sauce that sets successful Managed Service Providers (MSPs) apart from the rest. In a market teeming with competition, you need to offer more than the best technology or the lowest prices. It's about how clients feel when they interact with your services. A stellar customer experience can transform a one-time client into a loyal advocate, while a poor one can send them running to your competitors. According to a ...