Adopting Encrypted DNS in Enterprise Environments

Jan 24, 2021 | News

Internet usage requires the translation of domain names to Internet Protocol addresses (IP addresses) using the Domain Name System (DNS). DNS works by matching the domain names of websites to their right IP addresses. In the past, these DNS matchups’ were sent through unencrypted Hypertext Transfer Protocol (HTTP) networks and this made them susceptible to hacks.

With the establishment of Hypertext Transfer Protocol over Transport Layer Security (HTTPS), DNS requests are now encrypted to provide privacy, integrity, and “last mile” source authentication for DNS transactions with a client’s DNS resolver. This has led to the development and use of Domain Name System (DNS) over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH).

When a client has DoH enabled and configured to use a DoH resolver not designated by the enterprise, the DoH traffic will be sent directly to the enterprise gateway as HTTPS encrypted traffic over port 443, bypassing the enterprise DNS resolver entirely. The request will then go to the client selected DoH resolver, which will either return the response or pass it along to the authoritative servers to resolve the request. The answered query returns from the DoH resolver through the enterprise gateway back to the client over port 443. The transaction between the client and DoH resolver is encrypted; therefore, the plaintext request and response usually cannot be analyzed by the enterprise gateway.

Despite the numerous security advantages using DoH has, it also provides several issues to enterprises. Amongst which are:

Concerns for internal network configurations and information.
Upstream DNS traffic exploitation
Bypass of DNS monitoring and protections
A false sense of security

These issues usually come about by individual client applications that enable DoH using external revolvers.

To resolve some of these issues:

Only use the enterprise DNS resolver and disable all others.
Block unauthorized DoH resolvers and traffic.
Utilize host and device DNS logs.
Consider a VPN for additional privacy protection.
Validate DNSSEC and use protective DNS capabilities.
Implement DoH on their DNS service to gain both the benefits of DoH and best practice DNS protections.

References

https://media.defense.gov/2021/Jan/14/2002564889/-1/-1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF

← Previous Next →

Posts by Topic

Alerts (3)
Best practices (10)
Business (15)
Cloud (1)
IT Blog (9)
News (142)
Privacy (11)
Security (21)
Small Business (12)
Technology (18)
Tip of the Week (3)

Mobile? Grab this Article!

Adopting Encrypted DNS in Enterprise Environments qr1c37a58e8f6ec22f103ff2c4c2c02467 TechCess

CISA warns of Windows and UnRAR flaws exploited in the wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two more flaws to its catalog of Known Exploited Vulnerabilities, based on evidence of active exploitation.One of them has spent more than two years as a zero-day bug in the Windows Support...

Contact Us

Learn more about what Techcess CyberSecurity Group can do for your business.

1-833-TXCYBER
1-833-892-9237

Techcess CyberSecurity Group
6110 Clarkson Lane
Houston, Texas 77055

Techcess CyberSecurity Group

6110 Clarkson Lane
Houston, Texas 77055