Plain Old Unencrypted DNS

Most of the readers of this blog will already be familiar with DNS systems and how they work but let me just refresh your memory.  And for readers who are unfamiliar with DNS, this will give you a very brief overview of DNS and what it does.

DNS stands for Domain Name System, and at its most basic definition, is a system that allows applications and devices to talk across networks.  It takes a recognizable domain name and translates it to an IP (Internet Protocol) address that computer systems use to communicate with each other, so that us humans can easily get to where we want to go on our network, or more importantly, on the Internet.  Most of this is invisible to the normal user, but it’s a very important set of protocols that everyone of us uses each and every day.

In normal circumstances, the DNS protocol works across TCP or UDP port 53, sending a plethora of information UNENCRYPTED across the internet or your internal network.  This information can include what website you are visiting or what servers you are accessing, names of computers, IP addresses, email systems you’re using and outgoing email destinations, and what software you’re using.  Again, all of this information sent via your normal plain vanilla DNS request is UNENCRYTPED, and that can, and does, pose legitimate privacy problems as well as provide useful information to hackers and potential computer system attacks.

For example, your ISP (Internet Service Provider) probably already logs and monitors all of your DNS traffic routed through them, essentially mining where you go and what you do, what systems you access, and where you are accessing these systems from.  They can then, and do, sell this information, at their discretion, to companies that use this data for targeted ad campaigns and marketing purposes (among other things).  Foreign governments can use DNS as a mechanism to monitor their populace and take action against individuals or groups that they consider to be dissident.

All of this because the current DNS protocol that we use every day is UNENCRYPTED.  The bottom line here is that unencrypted DNS allows virtually no privacy and is a very active attack vector for hackers. But it also means that monitoring and filtering of DNS traffic from a corporate standpoint is going to be a much more difficult proposition to manage and handle.

Encrypted DNS

To solve the privacy concerns mentioned above, there has been a push to start using encrypted DNS protocols, especially across the internet.  This has led to research and standardization of “modern” DNS transport protocols, such as DNS over TLS (DoT) and DNS over HTTPS (DoH).  Both provide a confidential and encrypted way to send DNS queries across the internet or even your internal company network, so that data miners or attackers cannot glean the information they so desire.  DoT works by creating an encrypted TLS tunnel via TCP port 853.  DoH works by wrapping the DNS request in an already secure HTTPS request using TCP port 443.

Though not available in most mainstream operating systems (the exception being Android 9 Pie), companies such as Google and Firefox have been experimenting with the encrypted DNS protocols, and there are 3rd party companies that already supply DNS encryption if you wish to sign up for their services.

Software developers are increasingly building DNS resolution into their own products, thus bypassing system specified DNS parameters.  Google is experimenting using the DoH protocol in Chrome.  Officially, testing in Chrome is to begin with Chrome v78, scheduled for release in late October 2019.  Google has also made DoH encrypted DNS available for use with their public DNS system (8.8.8.8).  Firefox is almost ready to turn on, by default, DoH encryption that sends all of Firefox’s DNS requests to Cloudflare, one of the 3rd party companies already providing DNS encryption services.

From a security standpoint, using encrypted DNS decreases man-in-the middle attacks via DNS spoofing and prevents DNS hijacking and DNS poisoning.  This is all great from a security and privacy perspective, but it also presents some major problems from a corporate standpoint.

What This Means to the Corporate Environment

Encrypted DNS is coming into the mainstream, and in some cases, is already here.  While this may be fine with a user who is concerned about their internet privacy or defense against hackers, it is especially concerning to the corporate IT environment.

Inspection and visibility of DNS traffic is going to decrease over time, and it is important that the corporate IT team be aware of these coming changes.  Corporate web traffic filtering policies will become less effective.  For example, web filtering in your company may no longer work, as it may key in on these unencrypted DNS requests and block undesirable web traffic at that level.  Reports on internet usage may no longer display the desired information.  Centralized monitoring of web traffic trends and usage may no longer work.  Corporate security mechanisms can become compromised by becoming ineffective.  InfoSec needs to be aware of these coming changes and come up with a proactive plan of action.

Recommendations

  1. Organizations should decide on their preferred DNS resolvers, both internally and externally, and create policy and process around this to provide the desired outcomes.
  2. If an organization is concerned their ISP is mining DNS traffic, they should consider using a 3rd party DNS resolver that provides encrypted DNS services. These 3rd party DNS resolvers can still see your traffic, as they have to be able to decrypt the traffic to act upon it, but at least you know who has your data and you can ask what they are doing with this data.
  3. Consider enabling and using these encrypted DNS policies for increased security and privacy, once they are available, to mitigate system attacks.
  4. Determine how implementing encrypted DNS will affect monitoring and filtering in your current corporate environment.
  5. Accept or mitigate risks on your networks for unmanaged devices, such as visitor or private devices.
  6. Understand how your current DNS works and flows. Identify and understand which applications are in your environment that may use alternative DNS resolvers (such as Chrome and FireFox).  Turn these services off in the software if you are concerned that they may be affecting monitoring or filtering in the corporate environment.

In Conclusion

Encrypted DNS provides some great advantages, such as increased security and individual privacy, but in a corporate environment it also carries large concerns regarding monitoring of corporate resources and traffic, as well as decreased visibility in the environment.  It’s time for businesses to prepare for the coming of encrypted DNS and to get a handle on it before it is too late.  As of now, there is still time to prepare, but that window is very quickly closing!

References

  1. https://english.ncsc.nl/publications/factsheets/2019/oktober/2/factsheet-dns-monitoring-will-get-harder
  2. https://www.infosecurity-magazine.com/opinions/the-pros-and-cons-of-dns-encryption/
  3. https://www.eff.org/deeplinks/2019/09/encrypted-dns-could-help-close-biggest-privacy-gap-internet-why-are-some-groups
  4. https://www.zdnet.com/article/google-to-run-dns-over-https-doh-experiment-in-chrome/