NSA: DNS-over-HTTPS "no panacea". NCSC: Handy if *we* run it, though.

DoH can "bring issues to enterprises, including a false sense of security" says NSA.

The US's National Security Agency (NSA) this week warned that use of DNS-over-HTTPS (or "DoH" -- which sends the domain name you typed via encrypted HTTPS connection instead of via plain text to what is typically a third-party DNS resolver like Cloudflare or Google rather than your flailing ISP) may mean organisations "lose important defences", adding that DoH is "no panacea" for online privacy and data protection.

"DoH provides the benefit of encrypted DNS transactions, but it can also bring issues to enterprises, including a false sense of security, bypassing of DNS monitoring and protections, concerns for internal network configurations and information, and exploitation of upstream DNS traffic", the NSA wrote January 14, warning that use of DoH in the enterprise may undermine the use of network monitoring tools deployed to "inspect DNS traffic and look for indications of anomalous activity."

>> Follow The Stack on LinkedIn <<

A worry appears to be the move by browsers like Mozilla Firefox to deploy DoH by default in the US. (Users can choose between Cloudflare’s 1.1.1.1 and the NextDNS service. Mozilla says it is giving organisations the option of blocking DoH use by staff via a so-called “canary domain”; tidily explained here). Chrome, meanwhile, has said that will make DoH its default setting where existing DNS resolvers offer the service. (Most ISPs do not, although BT is among those to have started experimenting.)

The NSA added -- seemingly pointing to such examples -- that "in some cases, individual client applications may enable DoH using external resolvers, causing some of these issues automatically". (With workforces now largely remote, this can cause growing issues for corporate IT teams, particularly those using passive network-based detection for malware domains, data loss prevention, or other metrics.)

NCSC: "So how about if...?"

The NSA statement came the same week that on this side of the pond, the UK's National Cyber Security Centre (NCSC) -- the enterprise-friendly shop front of NSA counterpart GCHQ -- noted that it had deployed DNS-over-HTTPS to underpin its new "PDNS Digital Roaming service".

The NCSC launched its Protective Domain Name Service (PDNS) in 2017. It's essentially NCSC-backed DNS resolution for the public sector that blocks malicious websites to -- as the NCSC puts it -- "hamper the use of DNS [or just bad domains] for malware distribution and operation."

With public sector workers now largely remote and outside corporate networks, it can be harder to track what they're looking up and downloading. The NCSC -- along with Nominet -- has now rolled out what it describes as a "small application for Windows 10" -- PDNS Digital Roaming -- which "extends the benefits of our protection by detecting when a device is outside of its enterprise network and redirecting DNS traffic to PDNS, using the encrypted DNS over HTTPS (DoH) protocol."

(Don't call it the Great Firewall of the UK: It's optional and only for the public sector, 'k? Read more about it here.)

"Devices are authenticated using client certificates. Again, see our knowledge base for more information on creating, distributing and managing PDNS Digital Roaming client certificates, at scale. PDNS Digital Roaming has been designed to be compatible with existing content filtering solutions, but we encourage testing", the NCSC notes.

Want to comment on Mozilla's public consultation on DoH? It's extended the deadline of the comment period to January 20 2021.

See also: Mimecast certs compromised by “sophisticated threat actor”