- As the internet transitions toward encrypted DNS, the National Security Agency (NSA) is warning businesses to use only enterprise-grade tools, bypassing third-party solutions, many of which are freely available, according to NSA guidance released Thursday.
- DNS traditionally translates domain names to IP addresses, but the transactions are unencrypted to properly direct the flow of traffic. DNS over HTTPS (DoH) is a privacy upgrade for web traffic, serving as a "last mile" source authentication for a DNS resolver, preventing "eavesdropping and manipulation of DNS traffic," according to the NSA.
- Though the technology has its merits, the NSA cautions enterprises using DoH "will lose some of the control needed to govern DNS usage within their networks unless they allow only their chosen DoH resolver to be used."
The whole point of using DOH is to prevent a threat actor from intercepting, manipulating and snooping on the traffic between a client and its DNS resolver, the NSA said. If the transaction instead uses a standard DNS, the request is made in plaintext.
In its warning, the NSA is making a distinction between enterprise-grade and consumer-friendly DoH offerings. DNS resolvers are free for public use that add protections, such as blocking malicious sites and "family-oriented filters."
It's an issue of governance. Unless only an enterprise tool is used, businesses will lose some of the control governing DNS usage on their networks.
By using enterprise-grade DNS security controls, businesses can "properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources and protect internal network information," the NSA said.
The guidance from NSA is for businesses to only use a designated enterprise-grade DNS resolver, disabling all others. The move is seen as a tradeoff — "the loss of enterprise security controls outweighs the protections offered by DoH, so NSA recommends that enterprises disable encrypted DNS within their network and continue to use only the enterprise DNS service."
The goal is for any enterprise using DoH to ensure queries are only sent to the enterprise DNS resolver, disabling web browsers, applications and operating systems supporting DoH. Some browsers make this a standard offering. If an enterprise policy is in place, Firefox and Chrome automatically disable DoH, according to the NSA.