Key drivers for the shift to public DNS resolvers
The European Union Agency for Cybersecurity (ENISA) analyses the security pros and cons of using public DNS resolvers.
A core part of the internet is the Domain Name System (DNS) mechanism. All computers, internet browsers and other applications use DNS resolvers to translate the human readable website names to machine readable IP addresses of computers.
Traditionally, these DNS resolvers are provided by the telecom provider, as part of the internet access connection. However, customers are increasingly turning away from private DNS resolvers and going for large cloud-based public DNS resolvers instead.
What are the security concerns driving customers to public DNS resolvers?
Better security and privacy are identified as key drivers for this shift to public DNS resolvers.
The public DNS resolvers typically support the newest DNS protocols, which encrypt DNS queries for instance. Some public DNS resolvers also offer additional security and protection features such as the blocking of malicious domains.
On the contrary, traditional private DNS resolvers use older protocols, and do not encrypt DNS queries, which translates into risks for the end-user.
Blocking of content by private DNS resolvers and service outages by the private DNS resolvers are other important reasons why consumers make the configuration change. An outage or a website block can lead consumers to temporarily configure their computer to use a public DNS resolver.
Outcome of the security analysis
ENISA assesses the shift in the DNS resolution market toward public DNS resolution and assesses the cybersecurity impact.
Additional encryption is an example of those clear security benefits driving the change in consumers’ behaviour. On the other hand, security and privacy concerns remain. For instance, enterprise network security controls do not always work when computers use public DNS resolution with encrypted DNS queries.
Although encryption is an improvement in general, it is important to underline that even with encrypted DNS resolution like DNS over HTTPS, computers still send a lot of unencrypted information over the network. Such information can then be used to track the websites visited. An example of this would be the IP addresses of the website or the domain name in the Transport Layer Security (TLS).
Other concerns also relate to dependencies, resilience and the lack of diversification. Well established and well known DNS resolvers are few and those most widely used resolvers are enjoy a dominant market position.
Implementation of the NIS Directive
The objective of this report is to help national authorities in the EU Member States supervise this part of the DNS resolution market. Supervision of DNS is required under Article 14 of the Network and Information Security (NIS) Directive. ENISA supports the NIS cooperation group in developing technical cybersecurity guidelines and in the cybersecurity analysis of new technologies, as this is the case of the report published on DNS resolution.
The EU’s Cybersecurity Strategy, published at the end of 2020, also addresses the topic of public DNS resolution. DNS4EU is a European Commission initiative that aims to offer an alternative to the public DNS resolvers currently dominating the market. The objective of DNS4EU is to implement the latest security and privacy standards and thus ensure a high level of security for customers and end-users.