From a network security perspective, 2019 saw the emergence of two new security standards designed to make the internet safer for consumers and businesses alike. Scheduled for deployment in the first half of next year, these evolving standards, which focus on the Domain Name System (DNS) privacy, will indeed bolster security for many users. However, for enterprise organizations, each carries with it unintentional consequences that should be on every security team’s radar heading into 2020.
Why DNS Privacy and Why Now?
Securing the DNS has never been more critical. DNS is is an open protocol used in every internet connection. Unfortunately, its open nature has also made DNS has also become a leading pathway for malware, ransomware and data theft.
The two new DNS privacy standards are DNS over TLS (DoT) – TLS stands for Transport Layer Security, and DNS over HTTPS (DoH). Both standards address what’s known in security circles as DNS’s ‘last mile’ security problem. Communications between a DNS client and its local DNS server are almost always unencrypted and therefore subject to spoofing, hijacking and other threats. DoT and DoH strengthen the security of DNS by encrypting and authenticating DNS between a DNS client and a DNS server.
Key Trade-Offs in Deploying DoT and DoH
In many circumstances, the new DNS privacy protocols make it more difficult for DNS to be used for nefarious purposes. However, for enterprises that depend on maintaining internal control over DNS servers, the new protocols come with notable security trade-offs, particularly where their existing DNS security implementations are concerned.
Whether they are on a corporate network, guest Wi-Fi or a service provider network, users are often assisted by custom DNS solutions. These solutions are designed to help network administrators and security teams maintain visibility and control of DNS services, protect users from malicious actors, provide fast and reliable access to local services and automatically block content that users and network operators deem objectionable or suspicious. However, one of the trade-offs of the new DNS privacy protocols is that they can bypass these existing DNS solutions. That happens because in order to perform encryption, DoT and DoH point DNS traffic to external DNS resolvers managed by third parties, outside the control of internal DNS safeguards. As a result, DoT and DoH can potentially expose enterprises to unexpected risk, break mission-critical applications, slow browser performance and adversely affect user experiences.
Potential enterprise security challenges of DoT and DoH include:
- Bypassing of enterprise controls: DoH introduces the potential for hundreds of applications, each with its own unique resolution settings, to bypass existing DNS controls. Aside from complicating monitoring for such DNS exploits as DNS hijacking, DoH also has the potential to enable the bypassing of enterprise content filters, such as adult content, gaming, streaming and malware sites
- Exposure to data exfiltration and malware proliferation: Cyber-criminals use DNS as a backdoor to obtain and exfiltrate sensitive information and to spread malware through command and control (C&C) communications with devices. Security teams can stop these attacks effectively by using threat intelligence on internal DNS infrastructure combined with analytics based on artificial intelligence and machine learning. Yet, because DoH bypasses DNS security measures in place, enterprises remain exposed to these and other pervasive DNS-based threats
- Increased DNS server overhead/decreased DNS server performance: DoT and DoH increase the load each DNS query places on a DNS server, which can affect a user’s quality of experience. Traditional DNS is based on the User Datagram Protocol (UDP) and introduces minimal overhead. Both DoT and DoH run over the Transmission Control Protocol (TCP), which is more resource-intensive for a DNS server. Also, both DoT and DoH require the DNS server to decrypt the query and encrypt the response, further adding to the overhead on the DNS server. Administrators of DNS servers should expect to find that their servers can handle only a fraction of the DoH- and DoT-based query rate they could with traditional DNS queries
These evolving DNS privacy options are just beginning to unfold. Accordingly, enterprises should take steps now to reduce the risks these technologies pose. A good place to start is by blocking direct DNS traffic – including DoT and DoH – between internal IP addresses and DNS servers on the internet. This step will ensure that end users employ a company’s internal DNS infrastructure, allowing the IT organization to comprehensively apply its DNS resolution policy and troubleshoot problems.
Complete details on DNS security and the DoT and DoH standards are available in the DNS Security Resource Center on the Infoblox website. Finally, those interested in influencing how these new privacy options are configured and in promoting the proper adoption of encrypted DNS protocols can do so by joining the Encrypted DNS Deployment Initiative at encrypted-dns.org.
