Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Jamie Brim
Jamie Brim

A Security Practitioner's Guide to Encrypted DNS

Best practices for a shifting visibility landscape.

The Domain Name System, or DNS, is the Internet's directory system. It points you where you want to go, mapping human-readable names like darkreading.com to machine-routable addresses such as

The original DNS protocol, however, is fundamentally insecure. Among other issues, the cleartext nature of the DNS protocol means that attackers with network access can intercept DNS queries to spy on your activity or forge responses to send you to a site where you don't want to go, such as a phishing page or an exploit kit. The security community has made a few efforts to encrypt DNS traffic to address this issue, the latest of which are DNS over HTTPS (DoH) and DNS over TLS (DoT).

Related Content:

New Proposed DNS Security Features Released

How Data Breaches Affect the Enterprise

New From The Edge: Security Pros Reflect on 2020

Adversaries leverage the DNS system like everyone else. Instead of hardcoding IP addresses for their command-and-control infrastructure, they often leverage purpose-specific domains to allow them to shift traffic as it suits their needs. Because of this, teams often want to monitor DNS traffic for threat intelligence hits, log it, and "sinkhole" domains (rewrite responses) for incident response purposes — the very behaviors that encrypted DNS is intended to prevent.

As encrypted DNS rolls out to end users, security teams' usual toolkits for incident response will no longer work for users encrypting their DNS traffic end to end. Security teams are left with the choice of blocking all encrypted DNS (which removes the protections from encryption) or letting it pass and allowing unmonitored and uncontrolled DNS traffic to flow through their networks. Blocking traffic can cause tension between end users and security team members.

With DoT, DNS queries and answers are conducted directly using Transport Layer Security (TLS). Because public DNS over TLS resolvers use a distinct port (853), security teams can quickly identify them and block them if necessary, potentially leading to end user/security team tension as mentioned above. Adversaries may run "off-port" DoT servers, but these may be suspicious as they will appear as unknown TLS connections. With DoH, DNS queries are wrapped in HTTPS requests and sent to DoH resolvers running on port 443. Public resolvers can be identified by hostnames present in the TLS exchange, but DoH is just another form of HTTPS, so it can blend in with the enormous volume of other HTTPS traffic traversing a typical network.

Adversaries have always used encrypted traffic to hide in plain sight, and DoH is just the latest example: A Kaspersky malware analyst recently identified that an Iranian hacker group named Oilrig (aka APT34) weaponized DoH to silently exfiltrate data from networks in order to avoid detection while moving the stolen data.

Steps to Take
So, as a network defender and/or IT leader, what can you do? One approach is to block end users from establishing end-to-end encrypted DNS traffic with external resolvers, and configure your endpoints to use internal resolvers. You can even provide an internal DoH resolver for endpoints to use, and have those resolvers, in turn, use encrypted DNS to secure their own communications with external resolvers. This will provide visibility and response capability to your security team, while still protecting your users' DNS traffic from eavesdropping or tampering.

A number of companies are developing tools that enable teams to detect DoH traffic as it comes in from public encrypted resolvers. In the near future, we expect to see solutions that will detect private encrypted resolvers as well. With these capabilities, teams can more effectively monitor traffic for suspicious activity: If you find the traffic to unknown encrypted DNS servers, then you may want to take a closer look to determine whether it's legitimate.

Jamie Brim's first computer was a Tandy 1000. He studied Computer Science and Economics at Brown before dropping out junior year to pursue a startup. Several years and broken dreams later, Jamie spent the next 10 years building out infrastructure and security for companies ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...
PUBLISHED: 2021-06-16
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9...