/
Introduction
Document toolboxDocument toolbox

Introduction

Owned by Shirly Tsang
Jun 19, 2024
3 min read

Increasing usage of encrypted DNS services in applications and operating systems can leave unexpected security gaps in network architecture. The purpose of this guide is to help our customers address these gaps by using Infoblox Encrypted DNS, Advanced DNS Protection, and BloxOne® Threat Defense features in combination with their traditional security solutions.

Why make changes to DNS protocol?

The concept of openness has been a fundamental feature of the Internet since its inception. Although users transmit sensitive information such as credit card numbers, email and passwords between their web browsers and websites using the secure HTTPS protocol, initial requests for Internet addresses and subsequent responses for website locations are transmitted in plain text. As a result, DNS has traditionally suffered from what we describe as a “last mile” security problem. Communications between a DNS client and its local DNS server are almost always unencrypted, and therefore subject to spoofing, interception, hijacking, and more problems. Improvements have been made to incorporate greater end-to-end security. DNS Security Extensions added authentication and data integrity checking to DNS, but the last leg of communication to the web browser was still open to spoofing.

Introducing DoH and DoT

Industry groups within the Internet Engineering Task Force (IETF) have approved two standards to address these issues. They work by encrypting the DNS communication between your operating system’s stub resolver and your recursive DNS resolver. One is known as DNS over TLS (Transport Layer Security) or “DoT,” and the other is DNS over HTTPS or “DoH.” Both technologies ensure data privacy and authentication by encrypting communications between DNS clients and servers. However, in doing so, each point to external DNS resolvers, thereby allowing client devices to access DNS services outside of your control and exposing the enterprise to potential security risk.

DNS over TLS (DoT)

DoT is an IETF standard that uses the common Transmission Control Protocol (TCP) as a connection protocol to layer over TLS encryption and authentication between a DNS client and a DNS server. Functioning at the operating system level, it communicates over TCP port 853. This is a well-known port used for all encrypted DNS traffic, and network administrators are very familiar with it. DoT traffic is encrypted, but its use of a well-understood port makes it easier for network administrators to monitor and control encrypted DNS when it appears. DoT is also a mature standard backed by traditional players in the DNS industry.

DNS over HTTPS (DoH)

Backed by the Mozilla Foundation and Chromium Projects, DoH is the other IETF security protocol that addresses DNS client and DNS server communication security. It leverages the security protocol extension HTTPS to provide encryption and authentication between a DNS client and server. A potential problem with DoH is that it uses the same TCP port (443) that all HTTPS traffic uses. As a result, it might prove challenging to troubleshoot DoH-related DNS issues because of the inability to distinguish DoH-based DNS requests from regular HTTPS requests. For example, if a network administrator is employing DNS monitoring to block DNS requests to known malicious domains, he or she would not see those particular requests in HTTPS. Hence, that malicious traffic would go undetected. In addition, DoH operates at the application layer rather than the operating system, which introduces the potential for browser traffic to bypass enterprise DNS controls. The circumvention of DNS controls could hamper the support team’s ability to maintain the levels of network performance, security, scale, and reliability that enterprises demand from DNS.

DoT and DoH Enterprise Challenges

Please refer to this Solution Note:  Solving Unintended Challenges with DoT and DoH

And this Blog Post for more information: Keeping up with DoT, DoH and HTTP/3 Changes to Your Network

Recommended Best Practices

We recommend a multi-stage approach to mitigate the threat from unauthorized DNS services.  

  • Block access to unauthorized DNS servers using Infoblox threat intelligence and ADP.

  • Use Infoblox Encrypted DNS to offer and secure DoT and DoH traffic to your users.

  • Leverage Group Policies or MDMs to push configuration for web browsers, directing them to Infoblox DoT or DoH servers for DNS resolution.

image-20240604-203426.png

 

Related content