Infoblox, the leader in Secure Cloud-Managed Network Services, announced Enterprise best practices on DNS over TLS (also known as DoT) and DNS over HTTPS (DoH).
These DoT/DoH guidelines are based on Infoblox’s longtime commitment to providing customers with DDI services that enable them to easily and effectively secure their own DNS communications.
The DNS traffic problem
“DNS was not originally designed with security in mind and for this reason has traditionally suffered from what is known as the ‘last mile’ problem,” said Cricket Liu, Chief DNS Architect at Infoblox. “Communications between a DNS client and server are not usually encrypted, leaving users vulnerable to spoofing, interception and other types of attack.”
DoT and DoH were developed to help network users overcome this last mile problem and provide security for DNS traffic. Both standards allow users to secure DNS traffic by routing it through ports which can carry encrypted packets. However, in doing so, they both can be used to bypass internal DNS controls and direct DNS traffic to external resolvers. This is especially true for DoH, since it uses HTTPS.
“The last mile challenge has been an issue with DNS for a long time,” added Liu. “Developments like DoT and DoH are valuable efforts to address this problem, but when they are used to bypass a company’s internal DNS infrastructure or evade their security controls, a host of new challenges emerge for IT managers.”
DoT and DoH risks
These protocols can be used to access DNS services outside of corporate control, and can expose the entire organization to security risks, slow browser performance and adversely affect the user’s experience. In some cases, browser and application vendors even choose to opt users into these services without corporate consent. More than 90% of malware incidents and more than half of all ransomware and data theft attacks use DNS infrastructure. When internal DNS is bypassed, these threats go undetected.
DoH in particular can be problematic since it uses the same TCP port (443) as all HTTPS traffic, making it indistinguishable from regular HTTPS requests (for example, when surfing the web). As a result, it can be difficult to troubleshoot DoH-related DNS issues or maintain levels of network performance, security, scale and reliability that organizations need from DNS. It also introduces a covert channel for malware.
For example, recent versions of PsiXBot malware use DoH to encrypt malicious communications allowing it to hide in normal HTTPS traffic, and install malware that can steal data or add a victim to a botnet.
“While these new DNS privacy initiatives are necessary and valuable, network administrators and security teams must be aware of the risks that the DoT and DoH approaches raise,” said Liu.
To combat this, Infoblox recommends that companies block DoH traffic between internal IP addresses and external DNS servers, forcing employees to use their company’s IT-managed DNS infrastructure and ensuring that security policies are enforced.
BloxOne Threat Defense, a hybrid foundational security solution from Infoblox that uses DNS as the first line of defense, blocks resolution to DoH domains and facilitates a graceful fallback to existing internal DNS. This helps prevent DoH misuse and mitigates risk.
BloxOne Threat Defense includes the following features to help manage DoH:
- Policy threat intelligence feeds for DoH, which provide the ability to control the DNS access method used to detect and mitigate threats by disabling DoH-based security policies. A threat intelligence feed containing canary domains is available to achieve this. Browsers will gracefully fallback to the organization’s managed DNS without interrupting user activity.
- DoH-Policy feed for known DoH IPs and DoH domains added to Threat Intelligence Data Exchange, Infoblox’s threat intelligence aggregation and distribution platform, which can then be used by other security tools like NGFWs to block DoH traffic to external servers.
- Ability to review DoH-related domains and IPs within Dossier, Infoblox’s threat investigation tool.
These capabilities are available for all BloxOne Threat Defense subscription levels.
Support for DoT and DoH will also be added to an upcoming NIOS release. This capability will enable customers to encrypt last-mile DNS communications between their endpoints and DNS servers regardless of which protocol the endpoint supports.
Infoblox is committed to helping customers maintain the network performance, security, scale, and reliability that modern enterprise networks demand. While solving the “last mile” problem is important and worthwhile, the company also recognizes that it is important for IT managers to maintain visibility and control over their DNS traffic. Infoblox will continue developing solutions to help IT managers and network administrators address these challenges in the future.