Overcoming Security Challenges With Better DoT/DoH Policies
November 10, 2020
Partners should focus on enabling customers to encrypt last-mile DNS communications
There’s been a big debate over how to best implement DNS privacy between two relatively new technologies designed to address “last mile” security problems that stem from unencrypted communications between DNS clients and their local DNS servers. Partners are trying to provide a more secure way for organizations as they increasingly become dependent on one of those technologies: DoH.
DoT and DoH Present New Challenges
Learn from this solution note what new DNS privacy innovations mean for your organization. It also describes the best practices Infoblox recommends for maintaining enterprise control over DNS services and optimizing users' browsing experiences moving forward.
First, a brief primer. DNS over HTTPS (DoH), a new IETF security protocol that leverages HTTPS to provide encryption and authentication between a DNS client and server, has been backed by the Mozilla Foundation and the Chromium projects. One of its potential problems is that it uses the same TCP port (443) that all other HTTPS traffic uses. Many of the big public recursive DNS providers, including Google DNS, Cloudflare, and Quad 9, now support DoH as part of their DNS service.
Late last year, Mozilla and Chromium implemented DoH in Firefox and Chrome browsers, respectively, and although some countries in Europe have requested that DoH not be enabled by default, users in many parts of the world may soon be able to configure their browsers to transmit DNS requests to these trusted recursive resolvers. (Note that Mozilla users already can utilize DoH within the United States.)
If uncontrolled, DoH has the potential to increase exposure to data exfiltration and malware proliferation. Cybercriminals often use DNS as a back door to obtain and export trade-sensitive information and to spread malware through command-and-control (C&C) communications with devices.
The DoH DNS request is encrypted and therefore invisible to third parties, including cybersecurity software that may rely on passive DNS monitoring to block requests to known malicious domains. Typically, security teams can stop these attacks effectively by using threat intelligence on internal DNS infrastructure, combined with analytics based on artificial intelligence and machine learning. Since DoH bypasses those DNS security measures, there’s new potential for enterprises to become exposed when using these and other DNS-based filters.
Here are a couple of recent examples. In mid-2019, it was reported on various outlets that malware strains had been released that were taking advantage of the DoH protocol. One strain, named Godula, was working as a DDoS bot. According to outlets such as ZDNet, DoH was the vehicle used to retrieve the TXT record of a domain name where the URL of the C&C server was being stored for later communications.
In late December 2019, Infoblox’s own Cyber Intelligence Unit created its first report about a malware strain that uses DoH to resolve C&C domains. A threat actor was using Google’s DoH service to resolve the domain name of its C&C servers to later deliver PsiXBot via the Spelevo exploit kit — stealing information and adding systems to its botnet. What’s interesting is that the campaign used malicious advertisements (malvertisements) that were placed on legitimate websites to direct user browsers to the malicious domain hosting the exploit.
To overcome this, Infoblox recommends that companies block DoH traffic between internal IP addresses and external DNS servers, forcing employees to use their company’s IT-managed DNS infrastructure and ensuring that security policies are enforced.
Closing the DNS Security Gaps With BloxOne™ Threat Defense
BloxOne™ Threat Defense, a hybrid foundational security solution from Infoblox that uses DNS as the first line of defense, blocks resolution to DoH domains and facilitates a graceful fallback to existing internal DNS. This helps prevent DoH misuse and mitigates risk.
BloxOne™ Threat Defense includes the following features to help manage DoH:
● Policy threat intelligence feeds for DoH, which provide the ability to control the DNS access method used to detect and mitigate threats by disabling DoH-based security policies. A threat intelligence feed containing canary domains is available to achieve this. Browsers will gracefully fall back to the organization’s managed DNS without interrupting user activity.
● DoH-Policy feed for known DoH IPs and DoH domains added to Threat Intelligence Data Exchange, Infoblox’s threat intelligence aggregation and distribution platform, which can then be used by other security tools like next-generation firewalls (NGFWs) to block DoH traffic to external servers.
● Ability to review DoH-related domains and IPs within Dossier, Infoblox’s threat investigation tool.
DoH isn’t a bad thing; it’s a new protocol that presents a different spin on things. DNS has behaved in the same way for years, and any changes to foundational protocols such as this always create ripples.
DoH is a new and evolving privacy option that helps solve a long-standing issue with DNS’ last-mile security problem, but the concept of control remains essential. Anything that circumvents DNS infrastructure is a bad idea. If enterprises aren’t prepared to address DoH at this time, they should take some steps to maintain control of their DNS to mitigate any unforeseen issues.
An excellent step to take now is to block direct DoH traffic between internal IP addresses and DNS servers on the Internet. This will help maintain control by ensuring that end users still use their own DNS infrastructure and be subject to IT DNS policies. But for long-term protection, partners need to focus on solutions that enable customers to encrypt last-mile DNS communications between their endpoints and DNS servers, regardless of which protocol the endpoint supports.
David Ayers, product marketing manager at Infoblox, is a business technology and marketing specialist based in Virginia who has sold, built, and messaged mission-critical cloud and hosted solutions in an evolving industry. With a unique blend of product management, product marketing, and sales experience, Ayers led product marketing activities for healthcare, public-sector clouds, embedded governance, risk, and compliance at Virtustream (a Dell Technologies business) before joining Infoblox. He’s also worked at Verizon, Terremark, SunGard Availability Services, Sun Microsystems, Digex, and Symantec.
