IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

NSA issues guidance on encrypted DNS usage

The US National Security Agency warns enterprises not to use third-party DNS resolvers

The National Security Agency (NSA) has issued guidance for enterprises whose users encrypt their Domain Name System (DNS) requests. It’s advised administrators to block external DNS providers supporting a key encryption standard called DNS over HTTPS (DoH).

DoH encrypts requests made using the DNS protocol, which resolves web addresses to IP addresses, so browsers and other software know where to find them. DNS requests are traditionally unencrypted, meaning anyone snooping on a network connection, like a public Wi-Fi hotspot, could monitor someone's browsing habits and hijack their destinations.

DoH encrypts those requests using the same HTTPS protocol that websites use to encrypt and verify browser sessions, blocking snoopers. However, the NSA warns it can provide a false sense of security. 

For example, it only encrypts the initial request, not the traffic sent afterward, meaning a snooper could still detect the IP addresses a victim is visiting and infer their browsing habits that way. 

The agency also warns that the DNS resolver, which serves the DNS request, still decrypts the request to fulfill it.

There’s another danger in using external DNS resolvers that support DoH, the advisory says. Querying them directly bypasses any protections an enterprise DNS resolver has in place, such as filtering malicious websites.

The NSA suggests companies block unauthorized external DoH resolvers and only use their enterprise DNS resolvers when supporting DoH. It also recommends breaking and inspecting any traffic encrypted using TLS to block unauthorized DoH requests.

DoH is likely to gain more traction thanks to increased support from browser vendors. Mozilla launched default DoH support for US users in February 2020, and Microsoft has also tested support using its Windows 10 client.

Last May, the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) warned federal CIOs that they were legally bound to use its internal EINSTEIN network security system for resolving DNS queries, even though it didn’t yet support encrypted requests. However, CISA issued a request for information last year to explore an upgrade to its DNS resolver, which would support DNS encryption.

DoH isn't the only DNS encryption option available. Another, called DNS over TLS, uses the Transport Layer Security mechanism to encrypt DNS requests. 

Oblivious DoH (ODoH), another standard proposed by CloudFlare and Apple, would improve security by introducing a proxy between the client and the resolver to obfuscate request traffic. 

The NSA noted that it didn’t address DNS over TLS or ODoH in its guidance. 

The NSA guidance failed to mention another technology, dnscrypt-proxy. Dnscrypt-proxy is based on the OpenDNS-developed dnscrypt encryption technology, which achieves similar outcomes to ODoH.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Costa Rica declares state of emergency following Conti ransomware attack
ransomware

Costa Rica declares state of emergency following Conti ransomware attack

10 May 2022
LinkedIn to pay $1.8 million to employees after settling gender discrimination charges
Careers & training

LinkedIn to pay $1.8 million to employees after settling gender discrimination charges

4 May 2022
Google claims US government is too reliant on unsecure Microsoft products
cyber security

Google claims US government is too reliant on unsecure Microsoft products

1 Apr 2022
Democrats propose privacy-focused digital dollar
digital currency

Democrats propose privacy-focused digital dollar

29 Mar 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022