The Domain Name System, or DNS, is the Internet's directory system. It points you where you want to go, mapping human-readable names like darkreading.com to machine-routable addresses such as 22.214.171.124.
The original DNS protocol, however, is fundamentally insecure. Among other issues, the cleartext nature of the DNS protocol means that attackers with network access can intercept DNS queries to spy on your activity or forge responses to send you to a site where you don't want to go, such as a phishing page or an exploit kit. The security community has made a few efforts to encrypt DNS traffic to address this issue, the latest of which are DNS over HTTPS (DoH) and DNS over TLS (DoT).
Adversaries leverage the DNS system like everyone else. Instead of hardcoding IP addresses for their command-and-control infrastructure, they often leverage purpose-specific domains to allow them to shift traffic as it suits their needs. Because of this, teams often want to monitor DNS traffic for threat intelligence hits, log it, and "sinkhole" domains (rewrite responses) for incident response purposes — the very behaviors that encrypted DNS is intended to prevent.
As encrypted DNS rolls out to end users, security teams' usual toolkits for incident response will no longer work for users encrypting their DNS traffic end to end. Security teams are left with the choice of blocking all encrypted DNS (which removes the protections from encryption) or letting it pass and allowing unmonitored and uncontrolled DNS traffic to flow through their networks. Blocking traffic can cause tension between end users and security team members.
With DoT, DNS queries and answers are conducted directly using Transport Layer Security (TLS). Because public DNS over TLS resolvers use a distinct port (853), security teams can quickly identify them and block them if necessary, potentially leading to end user/security team tension as mentioned above. Adversaries may run "off-port" DoT servers, but these may be suspicious as they will appear as unknown TLS connections. With DoH, DNS queries are wrapped in HTTPS requests and sent to DoH resolvers running on port 443. Public resolvers can be identified by hostnames present in the TLS exchange, but DoH is just another form of HTTPS, so it can blend in with the enormous volume of other HTTPS traffic traversing a typical network.
Adversaries have always used encrypted traffic to hide in plain sight, and DoH is just the latest example: A Kaspersky malware analyst recently identified that an Iranian hacker group named Oilrig (aka APT34) weaponized DoH to silently exfiltrate data from networks in order to avoid detection while moving the stolen data.
Steps to Take
So, as a network defender and/or IT leader, what can you do? One approach is to block end users from establishing end-to-end encrypted DNS traffic with external resolvers, and configure your endpoints to use internal resolvers. You can even provide an internal DoH resolver for endpoints to use, and have those resolvers, in turn, use encrypted DNS to secure their own communications with external resolvers. This will provide visibility and response capability to your security team, while still protecting your users' DNS traffic from eavesdropping or tampering.
A number of companies are developing tools that enable teams to detect DoH traffic as it comes in from public encrypted resolvers. In the near future, we expect to see solutions that will detect private encrypted resolvers as well. With these capabilities, teams can more effectively monitor traffic for suspicious activity: If you find the traffic to unknown encrypted DNS servers, then you may want to take a closer look to determine whether it's legitimate.