Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Jamie Brim
Jamie Brim

A Security Practitioner's Guide to Encrypted DNS

Best practices for a shifting visibility landscape.

The Domain Name System, or DNS, is the Internet's directory system. It points you where you want to go, mapping human-readable names like darkreading.com to machine-routable addresses such as

The original DNS protocol, however, is fundamentally insecure. Among other issues, the cleartext nature of the DNS protocol means that attackers with network access can intercept DNS queries to spy on your activity or forge responses to send you to a site where you don't want to go, such as a phishing page or an exploit kit. The security community has made a few efforts to encrypt DNS traffic to address this issue, the latest of which are DNS over HTTPS (DoH) and DNS over TLS (DoT).

Related Content:

New Proposed DNS Security Features Released

How Data Breaches Affect the Enterprise

New From The Edge: Security Pros Reflect on 2020

Adversaries leverage the DNS system like everyone else. Instead of hardcoding IP addresses for their command-and-control infrastructure, they often leverage purpose-specific domains to allow them to shift traffic as it suits their needs. Because of this, teams often want to monitor DNS traffic for threat intelligence hits, log it, and "sinkhole" domains (rewrite responses) for incident response purposes — the very behaviors that encrypted DNS is intended to prevent.

As encrypted DNS rolls out to end users, security teams' usual toolkits for incident response will no longer work for users encrypting their DNS traffic end to end. Security teams are left with the choice of blocking all encrypted DNS (which removes the protections from encryption) or letting it pass and allowing unmonitored and uncontrolled DNS traffic to flow through their networks. Blocking traffic can cause tension between end users and security team members.

With DoT, DNS queries and answers are conducted directly using Transport Layer Security (TLS). Because public DNS over TLS resolvers use a distinct port (853), security teams can quickly identify them and block them if necessary, potentially leading to end user/security team tension as mentioned above. Adversaries may run "off-port" DoT servers, but these may be suspicious as they will appear as unknown TLS connections. With DoH, DNS queries are wrapped in HTTPS requests and sent to DoH resolvers running on port 443. Public resolvers can be identified by hostnames present in the TLS exchange, but DoH is just another form of HTTPS, so it can blend in with the enormous volume of other HTTPS traffic traversing a typical network.

Adversaries have always used encrypted traffic to hide in plain sight, and DoH is just the latest example: A Kaspersky malware analyst recently identified that an Iranian hacker group named Oilrig (aka APT34) weaponized DoH to silently exfiltrate data from networks in order to avoid detection while moving the stolen data.

Steps to Take
So, as a network defender and/or IT leader, what can you do? One approach is to block end users from establishing end-to-end encrypted DNS traffic with external resolvers, and configure your endpoints to use internal resolvers. You can even provide an internal DoH resolver for endpoints to use, and have those resolvers, in turn, use encrypted DNS to secure their own communications with external resolvers. This will provide visibility and response capability to your security team, while still protecting your users' DNS traffic from eavesdropping or tampering.

A number of companies are developing tools that enable teams to detect DoH traffic as it comes in from public encrypted resolvers. In the near future, we expect to see solutions that will detect private encrypted resolvers as well. With these capabilities, teams can more effectively monitor traffic for suspicious activity: If you find the traffic to unknown encrypted DNS servers, then you may want to take a closer look to determine whether it's legitimate.

Jamie Brim's first computer was a Tandy 1000. He studied Computer Science and Economics at Brown before dropping out junior year to pursue a startup. Several years and broken dreams later, Jamie spent the next 10 years building out infrastructure and security for companies ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...