In contrast to the NSA’s Recommendations, Heimdal™ Is Confident about the Use of DNS

[harlan4096]

Why DNS-over-HTTPS (DoH) Is Actually a Good Idea. Best Practices for Securing Your Organization’s DNS.

A few days ago, the United States’

National Security Agency (NSA) released a report meant to sound the alarm for organizations who are relying on DNS-over-HTTPS (DoH) as their basic DNS security strategy. While the NSA concedes that there are benefits to enabling DoH, they warn that there are also plenty of risks that are typically overlooked.

We politely disagree. As DNS security experts at the forefront of innovations achieved in the field for the past few years, Heimdal™ product engineers have always been aware of the limitations of DoH, but that did not stop us from finding ways to safely integrate it into our threat prevention solutions. Precisely because we are aware that DoH is not enough to guarantee cyber-safety, by itself, and that it can create some compatibility issues with basic DNS security solutions that are centered around traditional DNS, our innovations addressed it directly.

The cybersecurity solutions we have for DNS, HTTP, and HTTPS layers have been built with issues such as the ones potentially caused by DoH in mind. So we know first hand that DoH is not an obstacle to DNS security if the creators of your DNS security suite know what they are doing.
Here’s what the NSA says about DoH, in a nutshell, and what we have to say about it.

What the NSA Says about Using (Solely) DoH

The main risk of DNS-over-HTTPS, according to the latest NSA report, is that it promotes a false sense of security to organizations that adopt it, thinking it is enough to secure their DNS.

“DoH is not a panacea”, the NSA report states.

Furthermore, it’s not just that organizations believe they are more secure when implementing DNS-over-HTTPS and forego other protection layers that should be mandatory for securing their DNS traffic. DoH isn’t just not very effective as a defense, but can also actively lower the other defenses of the organization in question.

When DoH is deployed inside company networks, it can be used by malicious third parties to bypass many of the built-in security tools that rely on sniffing out classic (plaintext) DNS traffic to detect potential threats. Moreover, many DNS resolvers that function on DoH protocols are externally hosting their servers, taking them outside the enterprise’s ability to audit and control it.

The NSA recommends that all companies should not give over their DNS traffic to externally-hosted resolvers and instead make sure their DoH-capable resolver is internally hosted and under their control. So, adopting simple DoH as an enterprise security strategy for your DNS is an exceptionally bad approach.

You can read the full NSA report here: Adopting Encrypted DNS in Enterprise Environments.

Why Indeed DNS over HTTPS (DoH) Is Limited

We agree that DoH can be limited and is not a Holy Grail of DNS security when used by itself.

But we are way more optimistic than the NSA in regards to finding a place for DoH in the DNS security architecture of the future. In fact, we believe that DoH, when approached correctly, is a must-have component of a solid DNS security strategy.

DNS-over-HTTPS can have many advantages when you approach it correctly. It’s definitely more secure, in principle than the default previous internet protocols. It can even be construed as a possible replacement for VPNs.

While the traditional DNS protocol shared its requests and responses in plain text, easily attackable by malicious third parties, DNS-over-HTTPS communicates those in an encrypted form, making it harder for attackers to use DNS for breaches.

Simply by adopting DoH, your connection is already benefitting from an unprecedented default level of privacy and data protection. Since it came out, DoH was poised to be the new golden standard for DNS communications. In theory.

Unfortunately, just because this new encryption standard for DNS connections was issued, that doesn’t mean malicious activity didn’t also evolve to new heights. DoH makes it harder for attackers to target your organization, but it doesn’t make it impossible.

But, like the NSA also warns, many corporate decision-makers who are not exactly cybersecurity experts believe that adopting DoH is enough to keep any possible intrusion at bay. The true danger of DoH lies precisely in this false sense of security associated with its adoption.

Here is what the NSA report says, and in this regard, we do agree with them:

“While DoH can help protect the privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networks unless they allow only their designated DoH resolver to be used. These essential protective DNS controls can prevent numerous threat techniques used for initial access, command, and control, and exfiltration, such as phishing links to malicious domains, connections using dynamic name resolution, and commands hidden in DNS traffic”, says the NSA report.

Potential Risks in Relying on DoH Alone as a Source of DNS Security

We understand where the NSA report is coming from. Because DoH is still safer than traditional, unencrypted DNS (HTTP requests), many DoH adopters falsely feel safe. That is the actual source of the risk: the incorrect assumption that just by adopting DoH, you are now safe. We agree that relying on DoH alone is risky, though we still consider it better than no DoH and no other DNS security measure at all.

Here are some of the significant cybersecurity risks derived from relying solely on DNS-over-HTTPS for as a DNS security strategy within an organization.
...

Continue Reading