DoH!

Iain Westwood

DoH, or DNS over HTTPS to be precise, has featured in mainstream media in recent weeks. Both Mozilla and Google have confirmed that their Firefox and Chrome browsers will be implementing DoH by default but what exactly is it and why does it have ISP’s worried?

To recap, DNS (or the Domain Name System) is used to translate a human-readable host address such as www.activereach.net to its underlying IP address that your computer can connect to in order to receive content.  Your computer submits the requested hostname to a DNS server which then replies with the IP address of the server.

Is DNS A Security Risk?

As we mentioned in a previous blog, DNS has had its fair share of security-related problems but a properly secured DNS solution can complement traditional security technologies and help keep malware and ransomware at bay.

So Where’s The Problem?

The main concern is actually one of privacy as client DNS queries and server responses are sent in an unencrypted format. Anyone armed with a packet sniffer in the network path between the client and DNS server can intercept the packet and take a look inside to see what is being requested.

This mirrors concerns earlier this decade about the HTTP protocol which is also unencrypted. This led directly to the foundation of the LetsEncrypt project where website operators can get free SSL certificates to secure their servers, massively increasing the use of certificates and improving web privacy.

Knowledge of the content of a DNS query can be valuable information.  Advertisers can use the information to help understand what sites users are connecting to and direct adverts accordingly – the most likely reason Google offer a public DNS resolver service!  ISP’s can also use an unencrypted DNS query to implement web blocking and interfere with the response to redirect to a different website or block page.

By implementing DNS over HTTPS in the browser, DNS transactions are encrypted so the queries and replies cannot be snooped on in transit.  This has ISPs worried and the ISPA (Internet Service Providers Association) recently criticised Mozilla as they believe it will interfere with the UK’s web-blocking system designed to filter access to copyrighted material.

So What Do We Need Do?

The privacy benefits of implementing DoH are clear but implementation isn’t as straightforward as at the moment, each browser has to be configured manually to enable the feature and this does have scaling issues.  Fortunately, security solutions such as Cisco Umbrella have DNS privacy baked in to help remove that headache.

To find out how activereach can help with DNS security please contact us or call us on 0845 625 9025.