DNS, AKA Domain Name System, is the internet wide service that translates hostnames such as www.cyberonsecurity.no into an IP address. It was developed because it’s much easier to remember a domain name than an IP address.
Back in 1983, when DNS had just been invented, DNS requests and responses were sent over the internet in clear text, and they still are. Now, with so much at stake on the internet, there is an additional need to encrypt DNS traffic. Because, as the DNS requests are sent in plain text, attackers in the middle can sniff the traffic and know what you’re into.
Unlike other protocols such as HTTP and FTP, DNS never got a security upgrade that prompted widespread adoption. Instead, one of the most important features of our modern internet has used the same level of encryption for the last 35 years.
pros and cons of doh
The new standard released by the IETF enables DNS protocol to be enabled over HTTPS connections (the more secure form of HTTP). DNS over HTTPS (abbreviated as DoH) is an internet security protocol which communicates domain name server information in an encrypted way over HTTPS connections as a layer of security.
Pros to Early Adoption of DNS over HTTPS (DoH):
- You get to test out how DoH will integrate with your networks ahead of time and fix any potential issues before the DoH protocol becomes default.
- If implemented right, you can gain more data security and better privacy across your organization.
- You get to test out the compatibility of DNS over HTTPS with your DNS traffic filter.
- Your feedback may help all software parties involved better their products, to your benefit.
Cons to Early Adoption of DNS over HTTPS:
- If your system admin(s) are not experienced with DoH and similar security protocols, this can end up in blocked queries, false-positive security flags and so on.
- If your DNS traffic filtering solution is not able to integrate with DoH, this can render it ineffective.
Even though DoH prevents the ISP from viewing a user’s DNS requests, DNS is not the only protocol involved in web browsing. There are still countless other data points that ISPs could track to know where a user is going.
In the enterprise sector, most of the system administrators use local DNS servers and DNS-based software to filter and monitor local traffic to prevent users from accessing non-work-related sites and malware domains. DoH traffic will bypass these filters and render them essentially useless.
Another problem is that DoH centralizes the DNS traffic to a few DNS resolvers. “Centralized DoH is currently a privacy net negative since anyone that could see your metadata can still see your metadata when DNS is moved to a third party,” APNIC said. “Additionally, that third party then gets a complete log per device of all DNS queries, in a way that can even be tracked across IP addresses.
“Encrypting DNS is good, but if this could be done without involving additional parties, that would be better,” APNIC added.
Enterprises will need to invest in new ways of monitoring and filtering traffic, as the era of DNS-based systems seems to be coming to an end. Like any IT innovation, DNS over HTTPS can pose a few challenges at first, until everyone gets aligned with it. But once DoH becomes the standard, the benefits of it will greatly outweigh the difficulties it poses in the beginning.