While the proliferation of encrypted DNS is being driven by
consumer privacy, businesses will want to take notice. Encrypted DNS – also
known as DNS over HTTPS, or DoH – obscures internet traffic from bad actors. But
it also has the potential to decrease visibility for IT admins whose
responsibility it is to manage DNS requests for their organizations. So, what’s
the solution? Strangely, DoH.
previously mentioned, DoH is now the default for Mozilla Firefox. It’s also
available in Google Chrome and other Chromium-based browsers. This is a win for
consumers, who have newfound control over who can see where they’re going on
However, by surrendering control over DNS requests to the
browser, IT administrators lose the ability to apply filtering to DNS requests.
Encrypted DNS that skirts the operating system eliminates the visibility that
IT admins need to ensure security for internet traffic on their networks. It
also prevents the business from being able to run threat intelligence against
DNS requests and identify dynamic malware that could circumvent consumer DoH
implementations. This leads to gaps in security that businesses can’t afford.
Staying ahead of the curve
There is a way to ensure privacy over DNS requests while
maintaining control and visibility into network activity. The solution is to apply
DoH across the entire system, not just browser activity. By wresting control over
DNS requests from the browser, the agent can instruct Firefox not to engage its
DoH feature. The same holds true for Chrome users running DoH. These requests are
passed back through the operating system, where the DNS solution can manage
them directly. This helps support both filtering and visibility.
An advanced agent
will manage DNS requests on the device securely through DoH so the requests go directly
to the server with no other entity having visibility into them. At the same
time, the agent can apply threat intelligence
to ensure requests aren’t resolving to malicious destinations. Admins have
visibility into all DNS requests, and the requests are encrypted.
When the agent detects a prohibited resource, it returns the
IP address of a block page. So, if there’s a virus on the system and it’s
trying to access a command and control server to deliver a malicious payload,
it won’t be able to. It also prevents botnets from being able to connect since
they also leverage DNS. For any process that requests something from the
internet, if it doesn’t get the resource that it’s requesting, it’s not going
to be able to act on it.
Privacy plus security
The novel coronavirus didn’t start the mobile workforce phenomenon,
but it certainly has accelerated it. The traditional perimeter firewall with
all systems and devices living behind it no longer exists. Modern networks
extend to wherever users connect to the internet. This includes the router someone
bought from a kid down the street, and the home network that was set up by a
consulting company 10 years ago and hasn’t been patched or updated since.
When someone on their home network opens a browser and goes
to their favorites, they’re not expecting to get phished. But if they’re resolving
to an alternative IP address because DNS is not being managed, is broken or is being
redirected, they may be exposed to phishing sites. Enter encrypted DNS as another
layer of protection within your cyber resilience portfolio. It starts working
against a higher percentage of threats when you stack it with other layers, reducing
the likelihood of being infected. It also addresses a blind spot that allows exploits
to go undetected.
Privacy is the main driver for DoH adoption by consumers,
while business agendas are generally driven by security. As a business, controlling
DNS requests allows you to protect both the business and the user. If you don’t
have that control and visibility, the user is potentially more exposed. And, if
you don’t apply threat intelligence and filtering to DNS requests, a user can more
easily click on malware or land on a phishing site.
To learn more about encrypted DNS read