The evolution of DNS to DoH: what it means for you and your business
While DNS has evolved significantly in the decades since it was originally conceived, the skeletal structure remains much the same. DNS stands for the Domain Name System, which is the internet’s protocol for translating the URLs humans understand into the IP addresses that machines require to resolve an internet request and communicate with or display a website.
The problem is that this system was never designed to consider privacy or security. Today, DNS requests are made and resolved in plain text, providing intrusive amounts of information to whomever may be resolving or inspecting them. This is typically going to be an internet service provider (ISP), but it may be a government entity or some other actor. For example, in authoritarian countries, governments may use DNS information to prosecute individuals for visiting sites with outlawed content. In the United States, this data is more likely to be monetized for its advertising value.
“The problem with DNS is it exposes what you’re doing,” says Webroot product manager and DNS expert Jonathan Barnett. “If I can log a user’s DNS requests, I can see when they work, when they don’t, how often they use Facebook, the Sonos Speakers and Google Nests on their network, all of that. From a privacy perspective, it shows what on the internet is associating with the user and their network.”
Additionally, DNS, in its current form, has no way of validating the DNS resolver provided by a network. The lack of validation can be especially problematic in terms of home routers. Where business networks tend to be relatively secure—patched, up-to-date, and modern—Barnett reminds us that “everyone’s home router tends to be set up by someone’s brother-in-law or an inexperienced ISP technician.” In this case, malicious hackers can change DNS settings to redirect to their own resolvers.
“If you bring a device onto this network and try to navigate to one of your favorite sites, you may never wind up where you intended,” warns Barnett.
In the age of COVID-19, the lack of DNS security is becoming an even bigger problem for employers. With a larger workforce working from home than ever before, traditional defenses at the network perimeter are no longer relevant or sufficient.
“To maintain resilience,” says Barnett, “companies need to extend protection beyond the business network perimeter. One of the best ways to do that is through a DNS protection solution that ensures requests are resolved by a trusted resolver and not a potentially misconfigured home network.”
DoH: the second coming of DNS
In response to these concerns, DNS over HTTPS (DoH) offers a method for encrypting DNS requests. Designed by the Internet Engineering Task Force, it leverages the HTTPS privacy standard to hide the content of DNS requests from those who may seek to use the information improperly. The same encryption standards used with DoH are also used by banks, credit monitoring services, and other sites that deal in sensitive information display to prove their legitimacy.
Effectively, DoH ‘wraps’ DNS requests with the HTTPS encryption protocol to ensure you get your intended and trusted DNS server, thereby preventing anyone from listening in on those requests as the traffic is encrypted. That’s how DoH can provide a secure encrypted connection on which DNS requests can be transmitted.
“It makes sure no one is messing with a user by changing the results of a request before it’s returned,” Barnett explains.
In addition to improving privacy around device usage, DoH also addresses several DNS-enabled attack methods. These include DNS spoofing, also called DNS hijacking, whereby cybercriminals redirect a DNS request to their own servers in order to spy on or alter communications. Such DNS-layer attacks are thwarted with DoH, as it ensures the server is verified and the requests encrypted, regardless of what is configured on the network.
While the domain name system has served the internet and its users well for decades, the time has come for a change.
“In their wildest dreams, the creators of DNS imagined the system might be able to accommodate up to 50 million domains. We’re at 330 million now. It’s amazing what they achieved,” says Barnett. “But DNS needs to evolve. It’s been a great tool, but it wasn’t designed with privacy or security as priorities. DoH represents the logical evolution of DNS.”
Moving toward a DoH-enabled future
Several major tech players, like Mozilla with its Firefox browser, have already made the leap to using DoH as the preferred method of resolving requests. That means the application manages DNS requests independent of the OS, and IT admins will no longer have control or visibility of the DNS requests for that browser.
Understandably, many companies are concerned about applications making independent or rogue DNS requests. Losing control over these actions can compromise security as it limits the ability of a business to filter and process these requests.
As application creators strive for better privacy for their users and business look to improve security, a balance must be found. By limiting whether applications can enable DoH, the Webroot® DNS Protection agent is designed to retain control of DNS requests, while also running each request through the Webroot® threat intelligence platform, thereby improving both privacy and security.
In its next release, expected in the coming month, Webroot DNS Protection will be fully compatible with the new DoH protocol. Admins will be able to protect networks and roaming systems and ensure they receive a filtered, trusted DNS response from Webroot. That means you get peace of mind even when your user is connected to a network that has been compromised—thwarting hackers that have corrupted a router’s DNS settings to redirect users to malicious addresses. This extra layer of DNS security can be a powerful resource in extending protection for work from home environments.