NSA Offers Guidance on Adopting Encrypted DNSAgency Describes How DoH Can Help Prevent Eavesdropping
The U.S. National Security Agency has released guidance on how organizations can adopt encrypted domain name system protocols to prevent eavesdropping and manipulation of DNS traffic. Although the agency's report is geared toward the military and defense contractors, its recommendations can be adopted in all sectors.
Using DNS over HTTPS, or DoH, in enterprise environments encrypts and helps hide DNS queries from third parties who might attempt to spy or manipulate network traffic, the NSA says.
"DNS translates domain names in URLs into IP addresses, making the internet easier to navigate,” the NSA notes. “However, it has become a popular attack vector for malicious cyber actors. DNS shares its requests and responses in plaintext, which can be easily viewed by unauthorized third parties.”
The NSA guidance notes that DoH can protect the privacy of DNS requests and the integrity of responses. Enterprises, however, should only use those DoH resolvers that have been deployed by trusted third-party providers (see: Brace for DNS Spoofing: Cache Poisoning Flaws Discovered ).
"These essential protective DNS controls can prevent numerous threat techniques used for initial access, command-and-control and exfiltration, such as phishing links to malicious domains, connections using dynamic name resolution and commands hidden in DNS traffic," the NSA notes. "Even if not formally adopted by the enterprise, newer browsers and other software may try to use encrypted DNS anyway and bypass the enterprise’s traditional DNS-based defenses."
DNS is one of the core technologies that internet users rely on every day. "That it has been sent over the network unencrypted all this time creates significant risks to businesses and individuals," says Nick Sullivan, head of research at Cloudflare. "These recommendations highlight this risk and encourage the adoption of encrypted DNS within the enterprise context. That's a positive step to making the internet more secure."
In conventional DNS architectures, when a client submits a DNS query, it first goes to the enterprise recursive DNS resolver. This is often assigned through the Dynamic Host Configuration Protocol, or DHCP, according to the NSA.
"The enterprise DNS resolver will either return the answered query from its cache or forward the query through the enterprise gateway to the external authoritative DNS servers,” the NSA explains. “The DNS response will return through the enterprise gateway, to the enterprise DNS resolver, and then finally to the client. During this exchange, both the enterprise DNS resolver and the enterprise gateway can see the plaintext query and response and log it for analysis or block it if it seems malicious or violates enterprise policies.”
DoH encrypts DNS requests, which prevents eavesdropping and manipulation of DNS traffic, according to the NSA. While good for ensuring privacy in home and small-business networks, DoH can present risks to enterprise networks if it isn't correctly implemented.
DoH also protects DNS traffic between a client and a DNS resolver. Because the traffic is encrypted and blends in with other HTTPS traffic to websites, it’s difficult for hackers to determine which packets contain DNS requests or responses and see which domains and IP addresses were requested.
"The responses from the DNS resolver are also authenticated and protected from unauthorized modification," the NSA notes. "In contrast, traditional DNS transactions occur in plaintext on a port that is exclusively used for DNS, so cyber threat actors can easily read and modify the traditional DNS traffic."
Potential drawbacks to using DoH, the NSA says, include bypassing the usual DNS monitoring and protections as well as causing network misconfigurations and allowing attackers to exploit upstream DNS traffic.
Plus, individual client applications may enable DoH using external resolvers, which can lead to security issues.
In May, the U.S. Cybersecurity and Infrastructure Security Agency released a memo that reminded federal agencies only to use approved DNS resolution services to ensure security of network traffic (see: CISA Urges Federal Agencies to Use Approved DNS Service).
The NSA recommends that home, mobile and teleworking users without enterprise DNS control protection use DoH to protect the confidentiality and integrity of DNS traffic.
Several reputable DNS resolvers that provide additional protections are available to the public for free, the agency adds.
"If protective DNS capabilities are provided by an external source, then encrypted DNS should be allowed for that specific resolver and all others should be blocked," the agency notes.