One of the more effective countermeasures to DNS spoofing attacks is the use of the DNS over HTTPS protocol (which is often abbreviated as DoH). As its name implies, DNS over HTTPS encrypts domain name resolution request and response traffic in the same way that the HTTPS protocol is used to encrypt normal Web traffic.
From a security standpoint, encrypting DNS traffic undoubtedly has its advantages. As previously mentioned, DNS over HTTPS protects against various DNS spoofing attacks, and is particularly effective against man in the middle attacks. The technology also provides a degree of privacy since it renders DNS queries and responses invisible to anyone who may be monitoring DNS traffic.
In spite of these benefits, however, enterprise are likely to find that DNS over HTTPS introduces more security challenges than it solves--at least for now. The privacy afforded by DNS over HTTPS is something of a double-edged sword. While encrypting DNS traffic may prevent unwanted snooping, it also creates security blind spots.
In the enterprise, DNS monitoring is commonly used as a defense against malicious activity. This can come into play in several different ways, but here is a really simple example: Suppose that a user attempts to access a popular website, but accidentally makes a typo when entering the site’s URL into the browser. Let’s also assume that someone with bad intent has registered the misspelled domain name (which is a very common practice) and linked it to a malicious website. When the user presses enter, the browser does not go directly to the malicious site. Because the domain name that is associated with the malicious site is unknown to the user’s device (meaning that it does not appear in the DNS resolver cache or the hosts file), the device has to perform a DNS query to resolve the domain to an IP address. Once the DNS query is complete, the user’s browser is directed to the malicious website.
Many organizations use DNS monitoring tools as a way of keeping users from accidentally accessing malicious sites in the way that I just described. The architecture varies a bit from one DNS monitoring tool to the next, but what generally happens is that when a user’s browser initiates a DNS query, that query is intercepted by the DNS monitoring tool. That tool might then compare the domain name against a database of domain names that are known to be malicious. If the user is found to be accessing a malicious domain name, then the tool will put a stop to the process altogether or might silently redirect the user to his or her intended destination.
Keep in mind that this is not the only way that DNS monitoring is used to help keep an organization secure. DNS monitoring can sometimes be used to detect an infected PC that is communicating with a command and control server. Some DNS security tools are also able to detect and prevent DNS tunneling attacks.
If an organization were to implement DNS over HTTPS, it would lose its ability to perform security-oriented DNS monitoring. Current-generation security tools are unable to look inside the HTTPS packets for the purpose of monitoring name resolution requests.
Even if you aren’t concerned about the inability to monitor DNS over HTTPS traffic, it is important to recognize that the technology can also be abused by malware authors. In fact, the Godlua malware is already leveraging DNS over HTTPS. Godlua encapsulates its traffic streams inside of DNS over HTTPS as a way of evading detection. It has also been suggested that malware could instruct a compromised system to use a different DNS over HTTPS resolver. This would cause all of the machine’s name resolution requests to be handled by a malicious DNS server. And, because the name resolution traffic is encrypted, IT would be none the wiser.
For right now, it is probably best to avoid using DNS over HTTPS in the enterprise. Eventually, security vendors will likely introduce tools that can monitor encrypted DNS traffic. However, even if such tools become available, organizations will have to question whether DNS over HTTPS provides a sufficient benefit to justify its use.
