DNS over HTTPS’ threat to enterprise security

DNS over HTTPS (DoH) is here, regardless who likes it or not. Unfortunately, a majority of guidance surrounding DoH is centered around individual consumer perspectives. For enterprise security leaders looking to manage the risks of DoH, that hasn’t been entirely helpful.

To clarify the impacts of DoH on enterprise networks and how to manage them, I recently spoke with Chairman and CEO of Farsight Security, Paul Vixie. Below is a summary of the main points we covered.

In the year since the Internet Engineering Task Force (IETF) first published it as a standard, its impact on security and network operations has rightly been the subject of debate and discussion.

Despite this, a number of browser vendors have already rolled out support for DoH, including Chrome and Firefox. Their official goal? To add privacy to internet communications. Microsoft has also announced DoH support in its Windows operating system, though in a different way than the browsers.

Remember, DoH encrypts communication between the client and a DoH server. Because of this, it can prevent attackers from performing man-in-the-middle attacks and eavesdropping on traffic. It also makes DNS queries invisible to ISPs, which has been a major draw for individual consumers.

From the vantage point of enterprise security professionals and IT administrators, however, DoH creates significant challenges to network operations and security. Below are a few of the biggest ones.

DoH blinds DNS security tools

DNS is a highly valuable signal to cybersecurity operations. Enterprises leverage DNS for visibility and control over what happens on their networks. For example, passive DNS monitoring and threat detection offer security teams another chance to catch security threats that would otherwise evade their traditional tools. With DNS data, it’s possible to detect behavior like DNS tunneling, or communication between compromised hosts and command and control servers (C&Cs).

However, with DoH, DNS traffic can’t be distinguished from other HTTPS traffic. The data that used to be accessible for DNS-based monitoring and policy control now simply passes through port 443, encrypted.

Malware authors are already taking advantage of this new blindness – for example, the Godlua malware was observed using the DoH protocol earlier this year. Building on the danger of DNS blindness, malware can also now configure a compromised system to change its DoH resolver without detection. It can then communicate with a nefariously-controlled DoH server with little risk of its DNS queries being intercepted by security teams.

DoH cripples split DNS

Enterprises operating a split DNS implementation may find that applications set up for DoH will not resolve internal names. In some cases, this can corrupt access to services that depend on those names.

At the same time, an enterprise using split DNS will also be leaking internal domain names by sending them to a centralized public DoH server.

How to protect against DoH

Visibility into DNS traffic provides priceless insights into security and performance. Given that DoH can bypass many of the DNS-based security controls that protect enterprises today, security and network operations teams should treat it with caution.

Consider prohibiting applications on corporate devices from configuring DoH servers. Certain browsers have already rolled out DoH support, and while the functionality of resolving to DoH servers can be disabled, organizations may want to consider disallowing those browsers altogether. This is in case individual users try to reconfigure their browsers to point to DoH servers.

Similarly, outbound traffic to DoH resolvers can also be blocked, though that type of blacklist will have to be continuously maintained. Lists of DoH resolvers are publicly available on the web on GitHub and elsewhere.

Given the criticality of DNS, enterprise network operations and security teams need to move slowly and carefully when it comes to DoH.

Don't miss