Secure DNS: It is secure, right?

August 21, 2020

It’s always DNS. Where have I heard that before?

While there are plenty of changes proposed for the future of how we should enhance and secure DNS further, today I will focus on the path Chrome is taking (and Firefox as well). DNS over HTTPS.

DNS normally works on port 53 via UDP, and while it has seen its fair share of man-in-the-middle attacks or malicious redirects, it is also largely the foundation of how our content filters operate, by filtering queries and identifying network traffic. DNS over HTTPs (or DoH for short), tries to address security concerns by performing essentially remote domain name resolution and encrypting the tunnel between you the user, and the remote server providing that service. This sounds good, so what’s the concern?

First, we look at the concern in the education world, how would we implement content filtering. The protocol by design does not allow for monitoring and modifying results, so we naturally can not use this natively.  In fact, most content filters recommend blocking this protocol to force the browser to fall back to traditional DNS. While this is possible via the admin console (and the default is to disable this)

Security is not a one setting problem. 

We often have to set safeguards to assume for the edge case such as the policy did not apply, or an unmanaged device on our network. We would normally block unauthorized DNS traffic at our firewall level. While it is possible to control DNS this way via most network firewall devices, blocking DNS over HTTPS would require a next-generation firewall, capable of fingerprinting traffic in order to block this.

 

In 2019 a Denial of Service Worm used DoH to mask connections to its command server, abusing the fact that the connection was not visible to the ISP or enterprise. While trusted traffic would have no issue going through encrypted channels, this exploit is a pretty scary attack using this relatively young protocol and shows why visibility into DNS requests are so important.

Performance-wise, in broad theory, this should be faster than traditional but is still not up to par in performance to traditional DNS.  ISPs often introduce a caching layer closer to each localization and have reported that the average hit rate for these is around 90%. We also have a limited number of providers who can provide DoH, which can add in latency and may have potentially been load balanced previously. While there are more items that can be addressed, it’s important to understand that in the enterprise and education world, DoH is not ready for prime time.

DNS over TLS (or DoT for short), is a protocol that is also proposed and available today, which offers significant advantages over DNS over HTTPS, mainly it offers the encryption capabilities but stays on port 53, allowing this traffic to be more easily managed by your network. It also requires traffic to be allowed on port 853, which for most would require an active opt-in instead of being on by default.

The takeaway is to block Secure DNS over HTTPS in the admin console (which is under User and Browser settings in Chrome Management) should be set as disabled by default.  If you are able to block DoH traffic at the firewall consider doing so, and continue to monitor industry trends to reevaluate in the future. It may be worth reaching out to your particular content filtering provider and get their input on how they will deal with this growing trend as well.  

If you have questions, our Support team is here to help.

  • Andrew Giggey
    Google for Education Consultant

  • About the Author:

    Andrew Giggey has been a G Suite for Education Consultant for Amplified IT since 2018. Prior to joining Amplified IT, Andrew has spent time working for school districts as a Network And Systems Administrator. His hobby is having hobbies and has tried just about everything. Utilizing his tinkering and computer science knowledge, Andrew is constantly working to discover things hiding in plain sight and help inform the community of uncovered issues. Andrew continues to try to find unique problems that school districts face and finding them the best possible solution.