Should DNS Over HTTPS Be Banned?
Guest blog by Andrew Wertkin, CTO, BlueCat
DNS over HTTPS (DoH) is something I get asked about by senior IT and cybersecurity executives at BlueCat’s customers. They want to know how they can secure their organizations in the face of DoH, and what it means for the inherent structure of the internet.
Let’s start at the top
DoH is simply DNS, but delivered through the encrypted https protocol, so it can’t be easily viewed. It is an IETF proposed standard as RFC 8484.
For reference, the domain name system (DNS) has historically been an unencrypted protocol. Its purpose was–and still is–to issue a request for a client to resolve a domain name, and based on the type of request, respond with either an IP address or another simple answer.
The public DNS is a decentralized authoritative directory for the internet. DNS resolvers provide the engine to traverse the DNS and return the correct answer to the client. DNS and other critical decentralized protocols like BGP are a core reason the internet has scaled globally. DNS, however, is susceptible to eavesdropping, modification, and its vulnerabilities have been susceptible to exploitation.
In most cases today, DNS queries are sent to the DNS resolvers of a client’s internet service provider (ISP), or the ones configured on Wifi hotspots. ISPs have leveraged DNS as a key control point for their network health. They have also used it to do things like monetize misspelled domain names to deliver ads and generally track usage. The protocol has also been leveraged by governments for tracking and censorship, often by applying pressure on ISPs to meet requirements that enable this.
To corporations, who also run private DNS for internal compute, the openness of DNS allows for network control and policy enforcement. For example, the traditional DNS protocol has allowed organizations to see and subsequently block or redirect requests to look up domains perceived as bad (e.g., those associated with malware or with content that is deemed not suitable for the workplace). Controlling DNS provides part of means to both optimize what’s considered good and protect from what’s considered bad network utilization.
With DoH, that goes away for queries to the public DNS.
Aside: there are other means to encrypt DNS. For instance, DNSCrypt and DNSCurve can be used to encrypt the DNS communication between the client and the DNS resolver, and the DNS resolver and the DNS authority, respectively. These protocols are not IETF standards and were not widely adopted. DNS over TLS (DoT) has emerged recently, to secure the DNS communication over a unique port such that the traffic can be identified (RFC 7858). However, DoT does not obfuscate the fact that it is DNS, whereas DoH presents no differently than any other https traffic.
For Consumers, DoH Offers Privacy?
A DNS query contains a few key pieces of data: the originating IP address of the device or local router, and the domain name of requested resources.
It follows that if we saw a bunch of DNS queries issued from a specific IP address, there is a great deal we could learn about the user behind that address: what online activity they [try to] perform, what information they [try to] access, etc. It’s easy to understand why ISPs and advertisers love DNS data. It’s an easy way to gather data about users.
Using DoH, however, consumer DNS queries become anonymized to their ISP. DoH removes the ability of anything between the originating client and the DoH resolver to see the unencrypted data. Sure, the public DoH resolvers are now the recipients of the DNS data (after all, somebody out there has to resolve your query), but some of those don’t claim to use or even store personally identifiable data the same way the ISPs historically have.
Here’s the catch: DNS is certainly not the only thing between a user and privacy, it’s just been the easiest thing for ISPs, governments, and corporations to use until now. If someone wants privacy, they need to either be an expert user that takes great care, or simply stop using the internet.
For Enterprises, DoH Hurts Security
Inside most enterprises, there is a private scope to DNS as well. This is the DNS necessary to access compute in the corporate data centers, authenticate, or simply, to print. Devices on the network normally have direct access to this private DNS.
To deliver a query to the public DNS, however, devices on the corporate network must typically go through a specific corporate DNS resolver. Direct access to the public DNS is blocked by simple firewall rules, for the reason that controlling DNS resolution flow from inside an enterprise is valuable from the perspective of both network health and security posture.
Why is it important to monitor DNS data originating from within your organization?
The vast majority of bad things that may compromise a device require DNS in order to connect with the back end services that provide command and control and other functions. It’s why DNS is an extremely efficient signal and control point for nefarious activity. The closer a information-collecting resolver is to the client, the richer that signal becomes. DoH mutes this signal entirely.
When I look at the DNS data streaming directly off of any device (that is, at the first hop, also known as the edge of the network), I can make some pretty reliable assumptions. Based on query patterns, I can distinguish what is characteristic of a VOIP phone, a printer, an employee laptop, or a Point-Of-Sale (POS) machine.
Furthermore, I can correlate IP addresses and device lists to confirm that the thing I see acting like an employee laptop is actually an employee laptop, and not an infected purpose-built device like a POS machine.
How can an organization protect itself?
Certainly, organizations can attempt to identify and/or block DoH traffic. For example, they can act to block initial traffic to well-known DoH public resolvers (the fact that there are so few of them at the moment makes this a manageable process).
If already part of their security architecture, organizations can also decrypt and identify additional servers to block and continue to deploy pattern-based solutions.
Note that organizations are not only threatened by the occasional user who purposely resolves using DoH to hide his or her activity. Some browsers may automatically send queries to DoH providers, bypassing a client’s operating system and settings altogether, without an explicit request to do so. In the best light, the browser developers are acting to provide a safer user experience by removing things that can be compromised outside of their control, like DNS. Cynically, I believe this behaviour is part of a data land-gab between DoH providers and ISPs which users (and thus, organizations) are getting caught in. Even if the public DoH resolvers aren’t storing long term logs, they will benefit enormously from the flood of DNS traffic.
Aside: DoH also isn’t the only blocker to visibility. As ESNI becomes widely adopted, the plaintext Server Name Indication in https traffic won’t be available for inspection, either. For sure, standards that exist to ensure privacy will strain the requirements of the enterprise to ensure network performance and security.
For the internet overall, DoH is risky
DNS is very difficult to bring down on a global scale because it’s so decentralized.
DoH, however, is only provided by a small number of DNS resolver services, like CloudFlare or Google. Widespread use of DoH can thus end up centralizing DNS a bit. Take a minute to consider the repercussions of that.
Should DoH Be Banned?
It’s too late for that.
I am a proponent of privacy by design, in my personal life. However, there are more complete ways to accomplish this than DoH, and true privacy requires more than DoH.
Also, in settings like the workplace, the privacy I want in my personal life comes at a cost of security and network health. I have no expectation of privacy at the office and I want corporations to have the tools necessary to assure their health.
I am lucky to have lived in countries that generally allow free access to information. Most cynically, I am also wary of for-profit corporate enterprises running land grabs for user data under the guise of providing privacy, even if their policies state that they aren’t retaining personally identifiable information. Ok, maybe that was too cynical.
What I can say is, I’d like to see the browser vendors and service providers work closely with corporate enterprises to ensure that policy can be sensibly applied.
Download your FREE copy of Canadian Cybersecurity 2020: https://secure.e-ventcentral.com/event.registry/CanadianCybersecurity2020/
Interested in becoming a contributor? If you’ve got a topic which you feel is important to your peers, we want to hear from you! Get involved today by visiting: https://www.clxforum.org/get-involved/