NSA issues guidance on encrypted DNS usage

The logo of the National Security Agency in front of the US flag
(Image credit: Shutterstock)

The National Security Agency (NSA) has issued guidance for enterprises whose users encrypt their Domain Name System (DNS) requests. It’s advised administrators to block external DNS providers supporting a key encryption standard called DNS over HTTPS (DoH).

DoH encrypts requests made using the DNS protocol, which resolves web addresses to IP addresses, so browsers and other software know where to find them. DNS requests are traditionally unencrypted, meaning anyone snooping on a network connection, like a public Wi-Fi hotspot, could monitor someone's browsing habits and hijack their destinations.

DoH encrypts those requests using the same HTTPS protocol that websites use to encrypt and verify browser sessions, blocking snoopers. However, the NSA warns it can provide a false sense of security.

For example, it only encrypts the initial request, not the traffic sent afterward, meaning a snooper could still detect the IP addresses a victim is visiting and infer their browsing habits that way.

The agency also warns that the DNS resolver, which serves the DNS request, still decrypts the request to fulfill it.

There’s another danger in using external DNS resolvers that support DoH, the advisory says. Querying them directly bypasses any protections an enterprise DNS resolver has in place, such as filtering malicious websites.

The NSA suggests companies block unauthorized external DoH resolvers and only use their enterprise DNS resolvers when supporting DoH. It also recommends breaking and inspecting any traffic encrypted using TLS to block unauthorized DoH requests.

DoH is likely to gain more traction thanks to increased support from browser vendors. Mozilla launched default DoH support for US users in February 2020, and Microsoft has also tested support using its Windows 10 client.

Last May, the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) warned federal CIOs that they were legally bound to use its internal EINSTEIN network security system for resolving DNS queries, even though it didn’t yet support encrypted requests. However, CISA issued a request for information last year to explore an upgrade to its DNS resolver, which would support DNS encryption.

DoH isn't the only DNS encryption option available. Another, called DNS over TLS, uses the Transport Layer Security mechanism to encrypt DNS requests.

Oblivious DoH (ODoH), another standard proposed by CloudFlare and Apple, would improve security by introducing a proxy between the client and the resolver to obfuscate request traffic.

The NSA noted that it didn’t address DNS over TLS or ODoH in its guidance.

The NSA guidance failed to mention another technology, dnscrypt-proxy. Dnscrypt-proxy is based on the OpenDNS-developed dnscrypt encryption technology, which achieves similar outcomes to ODoH.

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing. Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.