Enabling DNS over HTTPS (DoH) with Thunder CFW
Encryption is the foundation for securing data on the internet. Encrypted HTTP (HTTPS) has one of the largest shares of traffic on the internet today and is now the de facto standard.
Domain Name Server (DNS) traffic, however, has been a clear-pass unencrypted channel on the internet. DNS, defined in the simplest terms, is used to resolve the address of an application on the internet. When the DNS traffic is unencrypted, it is vulnerable to manipulation and privacy exploitation via eavesdropping. Imagine driving an autonomous car and all your neighbors have visibility into and control over your destination.
What is DNS Over HTTPS?
DNS over HTTPS (DoH) enables additional layers of security for DNS traffic. It uses widely adopted technologies like HTTP and Transport Layer Security (TLS) to securely encrypt and transport DNS queries and to pass more control to the applications. DoH for Google Chrome is enabled, and Microsoft announced Windows 10 support in late 2019.
The challenge for service providers: retaining service offerings and compliance with DoH
Image source: Potential ISP Challenges with DNS over HTTPS
Adopting DNS over HTTPS (DoH) will allow service providers to continue offering critical cyber security services like malware detection, parental control, and compliance with law enforcement. A10 Networks has been collaborating with large service providers to develop and deploy a native DNS over HTTPS (DoH) capability, based on a proposed standard published as RFC 8484 by the Internet Engineering Task Force (IETF).
A10 Networks’ Thunder® CFW DoH capability provides:
- Investment Protection – DNS infrastructure is arguably the most critical component for operators. It is designed to handle a large volume of traffic and is often the target of ongoing attacks. The A10 Thunder CFW DoH capability is designed to protect the existing infrastructure investment for carriers and service providers. The existing DNS infrastructure solution components remain unchanged, and the secure connectivity and protocol translation are handled natively by Thunder CFW. Thunder CFW also includes multiple secure application services, including full ADC functionality, as part of the A10 Orion 5G Security Suite.
- Scale and Performance – The DoH encryption enabled by TLS (Transport Layer Security) further requires additional performance on the DNS infrastructure. A10 Thunder is designed for the scale and performance required for high-volume DoH traffic. The encrypted DNS queries can be handled at scale by using built-in advanced hardware acceleration capabilities for industry-leading performance in DNS queries per second (QPS) for DoH traffic.
- Security and Visibility – Thunder CFW provides secure application services to protect DNS infrastructure from multiple attack vectors, these are extended with the DoH capability. Organizations can combine multiple services as required. For example, DNS application firewall, DNS request and query-rate limiting, DNS flood protection, DNS caching and more to improve the security, availability and performance of DNS infrastructure.