The security landscape continues to change, and vendors are making choices in response to emerging threats in the global threat landscape. Recently, Mozilla decided that they would be rolling out a planned security feature for their popular Firefox web browser that would make DNS over HTTPS the default protocol for DNS traffic. Being a relatively new protocol, it is important to understand how it functions, and how it changes the way an enterprise network might have to approach the Firefox web browser in the future.
DNS over HTTPS is a new protocol designed to encrypt DNS traffic. It was developed as a push to mitigate pervasive monitoring techniques in response to global surveillance disclosures that occurred in the past decade, including those brought to light within our own government via the NSA. In response to those disclosures, the Internet Architectures Board of the Internet Engineering task force labeled “pervasive monitoring” as an attack that needed to be mitigated. This led to the requirement to protect DNS queries from surveillance between the local system (client) and the DNS resolver, which in turn led to the development of several protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH).
DoH is a spin on similar encryption methods previously used to secure HTTP traffic. Web traffic that was formerly Hypertext Transfer Protocol (HTTP, Port 80) in now (mostly) encrypted using Hyper Transfer Protocol Secure (HTTPS, Port 443) The added ‘s’ refers to the encrypted transport process, which utilizes TLS to encrypt the HTTP traffic. With DNS over HTTPS, the DNS queries would be sent over port 443 as well, making it impossible to distinguish between DoH and other HTTPS traffic, by design. This would have the intended consequence of obfuscating DNS inquiries.
These changes may seem good on a cursory glance. What could be wrong with more user privacy? Well, as we know, the most common cause of network breaches is generally end users themselves, and this type of obfuscation tends to break the security monitoring ability by forcing DNS resolving offsite. It effectively stops DNS monitoring security services because the organization will no longer be in control of the DNS resolver.
Moving back to Mozilla, they intend to use DoH to force DNS resolving using Cloudflare services. If you are a private individual and you want to use Firefox on your home laptop, this may be a solution wherein you know your traffic is private and unable to be monitored. For enterprise users, this is much more of a problem. Monitoring and active and passive threat detection using a multifaceted approach is very important in maintaining a good network security posture. By ‘breaking’ one aspect of this security posture, you allow windows for a threat actor to exploit your network. Businesses should also consider that potentially sensitive information (locations, security zones, function or role, etc.) could be leaked via internal DNS names that now are forced to resolve outside of an internal network. This would also interfere with current DNS-based services, including enterprise networks DNS-based website blocking (adult or inappropriate for work websites), anti-spam services, and mandated national ISP controls.
We have already seen potential use cases of DNS over HTTPS exploits in the wild. It is important to evaluate your network and determine if the current security protocols in place are equipped to deal with constantly evolving technology such as DNS over HTTPS. We are seeing the beginning of a conceptual split between the privacy-minded security controls and controls that focus on monitoring, and it will be important as a business to continue evaluating tools and software on a case-by-case basis.
About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.