01-15-2021 , 06:32 AM
Quote:The US National Security Agency has published today a guide on the benefits and risks of encrypted DNS protocols, such as DNS-over-HTTPS (DoH), which have become widely used over the past two years.
The US cybersecurity agency warns that while technologies like DoH can encrypt and hide user DNS queries from network observers, they also have downsides when used inside corporate networks.
"DoH is not a panacea," the NSA said in a security advisory [PDF] published today, claiming that the use of the protocol gives companies a false sense of security, echoing many of the arguments presented in a ZDNet feature on DoH in October 2019.
The NSA said that DoH does not fully prevent threat actors from seeing a user's traffic and that when deployed inside networks, it can be used to bypass many security tools that rely on sniffing classic (plaintext) DNS traffic to detect threats.
Furthermore, the NSA argues that many of today's DoH-capable DNS resolver servers are also externally hosted, outside of the company's control and ability to audit.
NSA: USE YOUR OWN DOH RESOLVERS, NOT FROM THIRD-PARTIES
The NSA urges companies to avoid using encrypted DNS technologies inside their own networks, or at least use a DoH-capable DNS resolver server that is hosted internally and under their control.
Moreover, the NSA argues that this same advice should also be applied to classic DNS servers, not just encrypted/DoH ones.
"NSA recommends that an enterprise network's DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver," the agency said.
"This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information.
"All other DNS resolvers should be disabled and blocked," the security agency said.
Read Here