NSA issues guidance on encrypted DNS usage

The US National Security Agency warns enterprises not to use third-party DNS resolvers

The logo of the National Security Agency in front of the US flag

The National Security Agency (NSA) has issued guidance for enterprises whose users encrypt their Domain Name System (DNS) requests. It’s advised administrators to block external DNS providers supporting a key encryption standard called DNS over HTTPS (DoH).

DoH encrypts requests made using the DNS protocol, which resolves web addresses to IP addresses, so browsers and other software know where to find them. DNS requests are traditionally unencrypted, meaning anyone snooping on a network connection, like a public Wi-Fi hotspot, could monitor someone's browsing habits and hijack their destinations.

DoH encrypts those requests using the same HTTPS protocol that websites use to encrypt and verify browser sessions, blocking snoopers. However, the NSA warns it can provide a false sense of security. 

For example, it only encrypts the initial request, not the traffic sent afterward, meaning a snooper could still detect the IP addresses a victim is visiting and infer their browsing habits that way. 

The agency also warns that the DNS resolver, which serves the DNS request, still decrypts the request to fulfill it.

There’s another danger in using external DNS resolvers that support DoH, the advisory says. Querying them directly bypasses any protections an enterprise DNS resolver has in place, such as filtering malicious websites.

The NSA suggests companies block unauthorized external DoH resolvers and only use their enterprise DNS resolvers when supporting DoH. It also recommends breaking and inspecting any traffic encrypted using TLS to block unauthorized DoH requests.

DoH is likely to gain more traction thanks to increased support from browser vendors. Mozilla launched default DoH support for US users in February 2020, and Microsoft has also tested support using its Windows 10 client.

Last May, the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) warned federal CIOs that they were legally bound to use its internal EINSTEIN network security system for resolving DNS queries, even though it didn’t yet support encrypted requests. However, CISA issued a request for information last year to explore an upgrade to its DNS resolver, which would support DNS encryption.

DoH isn't the only DNS encryption option available. Another, called DNS over TLS, uses the Transport Layer Security mechanism to encrypt DNS requests. 

Oblivious DoH (ODoH), another standard proposed by CloudFlare and Apple, would improve security by introducing a proxy between the client and the resolver to obfuscate request traffic. 

The NSA noted that it didn’t address DNS over TLS or ODoH in its guidance. 

The NSA guidance failed to mention another technology, dnscrypt-proxy. Dnscrypt-proxy is based on the OpenDNS-developed dnscrypt encryption technology, which achieves similar outcomes to ODoH.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

JEDI contract's future becomes murky after AWS court win
Policy & legislation

JEDI contract's future becomes murky after AWS court win

11 May 2021
Tech giants lobby US to fund chip production
Hardware

Tech giants lobby US to fund chip production

11 May 2021
Most comments in FCC net neutrality consultation were reportedly fake
Policy & legislation

Most comments in FCC net neutrality consultation were reportedly fake

7 May 2021
Defense Dept. expands vulnerability disclosure program to all publicly accessible defense systems
ethical hacking

Defense Dept. expands vulnerability disclosure program to all publicly accessible defense systems

5 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021