How to Identify and Control DoH On Your Network

Along with bandwidth, privacy and security are the major concerns shared by everybody and everything on the Internet. Engaging in man-in-the-middle style attacks, today hackers from cyber criminal organizations, state sponsored or masse surveillance interception, can intercept clear-text DNS lookups, track and monitor users’ activities or interfere with commerce and undermine confidence in the platform. A new privacy-focused DNS resolution technique may resolve this vulnerability but introduces challenges for security professionals who are tasked to monitor and manage DNS traffic within their organizations.

DNS over HTTPS, a new protocol dubbed DoH, will encrypt domain lookups with the intent of boosting Internet privacy, performance, and security. With current DoH implementations, DNS resolution can be performed within an application, bypassing the DNS configuration of the operating systems and thus preventing any DNS based protections that an organization may have deployed. DoH is now embedded in Chrome and Firefox browsers, thus satisfying the client component, while Google and Cloudflare among others are providing the DNS servers (called DoH resolvers) that support it.

Will the protocol catch on? In its corner, tech giants and new players, along with non-governmental organizations are driving support, development and standardization. However, the DoH implementation is not without critics. ISPs have coined the term “hyper-centralization” to describe how access to DNS resources is shifting from their control into the hands of even fewer parties. Critics also express concern that DoH sidesteps DNS filtering services including parental controls, which are mandated in certain countries; plus it contravenes efficient security controls — at least for now.

Yet, from a practical standpoint, DoH has arrived (RFC 8484), and while its standardization is only at the beginning with new working groups being started at IETF, the question that security teams are facing now is how best to manage it.

DoH Security Check

Encryption may prove beneficial, but a) it does not equal security and b) the resulting hyper-centralization lookup model presents SecOps teams with another set of concerns such as monitoring DNS spoofing. Traditional DNS communication had been easily differentiated from encrypted HTTPS traffic. Now, DoH bypasses passive DNS monitoring techniques including enterprise firewalls that blocked requests to banned domains.

DoH could be used by malware to exfiltrate data. Two recent malware cases suggest the protocol isn’t impervious to novel attacks:

• A .NET based malware known as PsiXBot attacked Google DNS over HTTPS and installed a sexploitation-module
• Godlua, discovered by Netlabs, acts as a Linux DDoS bot, according to ZDNet.

There are other scenarios that may give SecOps a dash of heartburn. Managing internal name lookups may pose data leakage challenges for some large organizations. Public DoH resolvers are not able to parse internal domain name requests — leaving such information unprotected.

Managing DoH

If you allow or simply encounter DoH on your network — Symantec will help you track and control it. Failing to manage DoH may result in more malware infections or data leakage issues. Though Firefox allows a service to disable DoH, even a moderately savvy user can override that setting.

Visibility is the first step toward understanding DoH usage and controlling it. We have implemented a new web app on Symantec ProxySG and Advanced Secure Gateway (on premise) as well as the Web Security Service (WSS) that identifies DoH communications and associates it with an app name. The app reports on DoH usage, users and destinations, helping your team craft an audit as needed. You will be able to track DoH usage in Symantec Management Center on premise, WSS in the cloud, or with your own reporting tools.

What else would you ideally want to track? We’ll make it possible to identify additional details such as: User names; group names; source and destination IP addresses; URLs; threat risk levels; traffic volume, policy verdict (allowed or denied, etc.); among other things.

ProxySG DoH control options enable admins to allow or deny everyone — or provide only certain people with — access to DoH resolvers. More commonly, an organization may opt to specify a preferred DoH resolver, such as Cloudflare, Google or their own, internal DoH service.

For those seeking even more granular control, decrypting DOH, which requires a TLS 1.3 proxy, restores a variety of familiar control options, such as: 

• Allowing DoH, but handing off communication to the DNS proxy
• Applying DNS application layer policies such as a filter on the DNS layer
• Enable logging, reporting and forensic analysis

The DNS proxy will have your back . It is ready to handle communications such as identifying the IPv4 or IPv6 IP addresses for requested host and domain names — and perform category and threat risk level lookups. And if someone in your organization tries to connect to a known bad site, it could reply with NXDOMAIN, meaning the name cannot be resolved, or it could modify the response and point the user’s browser to a block page.

Safeguarding privacy and improving internet security are actions worthy of everyone’s time and interest. DoH may prove indispensable but in the near term, the first thing to do is build awareness of its use within your organization and simultaneously learn how to control it. Learn more about Symantec ProxySG & ASG and WSS.

* * * 

Many thanks to our team subject matter experts Arnaud Taddei and Bret Jordan for their valued contributions to this post.