Strengthening DNS Security with DNS over HTTPS (DoH)
The Domain Name System (DNS) is critical to the functioning of the internet. The protocol was created more than 30 years ago to replace the process of manually updating lists of servers (IP addresses) on the internet/Arpanet. DNS has become increasingly vulnerable to a host of malicious attacks on networks and subscribers. Over the years, the industry has responded to these growing concerns with several security enhancements — the most recently proposed standard is DNS over HTTPS (DoH).
What is the Domain Name System and How Does it Work?
Think of DNS as an address book that translates the IP address of every destination into a domain name that can be easily remembered. A DNS query is how every web session is initiated. If the query fails, users can’t get to the sites they’re attempting to access. Everyone has a stake in the proper functioning of DNS.
For service providers, the security, speed, and reliability of their service depends upon the proper execution of DNS queries. For enterprises, mission-critical operations and online commerce depend on the ability of customers and employees to find and access whatever they’re looking for. Everyday web surfers just want to get where their online browsing takes them — quickly and securely.
The Domain Name System was not Designed for Security
DNS was ratified as a standard internet protocol in 1983, when there was little concern about security and DNS attacks — that is, well before the appearance of the types of malicious cybercriminals we see today. The protocol has no built-in security or encryption and is transmitted in clear text that can be easily intercepted and spoofed to launch DNS attacks. As the disruption of DNS queries presents a single point of failure for network services and applications, DNS has become a common attack vector for cybercriminals.
A typical DNS query starts when a user, seeking to access a particular website, sends a DNS query via his or her device to the recursive DNS sever of a local ISP. The ISP then queries an authoritative DNS server to locate the IP address of the requested website. This entire process is transmitted, as noted, with little or no security. And, thus, the industry has recognized the need for a better way to secure the process of DNS resolution.
DNS over HTTPS: A New Way to Enhance DNS Security Solutions and User Privacy
Enter DNS over HTTPS (DoH), a recently drafted standard that changes how the DNS resolving process works. DoH only addresses the initial connection between a device and the local DNS resolver (i.e., the so-called “last mile”). It provides an option to encrypt the transmission of DNS queries, making them indistinguishable from HTTPS.
However, the rest of the query chain between the resolving DNS server and authoritative servers is not addressed. Rather, DoH focuses narrowly on DNS hijacking and the malicious activities derived from manipulating, redirecting, or impairing the queries that leave DNS resolution vulnerable to several types of DNS attacks.
How to mitigate these attack vulnerabilities is currently a hotly debated topic. Nevertheless, because of growing concerns about privacy and DNS security in today’s COVID-19-impacted, increasingly remote workforce, we believe that DoH will follow a pattern similar to that of HTTPS and see accelerated adoption by the industry. HTTPS was created in 1994 and formally specified in 2000. After the Edward Snowden leaks of highly classified intelligence in 2013, the use of HTTPS ramped up to where it is now with 80+ percent of web pages using the protocol.
At Stake: Who Gets to Resolve DNS Queries?
Initially proposed by the Internet Engineering Task Force (IETF) in late 2018, DNS over HTTPS (DoH) soon gave rise to a turf war. Traditionally, DNS has been resolved at the OS level, but initial DoH implementations from Mozilla and Google have been at the application level. That changes how DNS gets resolved and therefore who gets to resolve it.
For ISPs, DoH puts them at risk of being cut out of the resolution process by third-party DNS providers, where their subscribers can potentially be impacted. Many value-added services (e.g., parental controls and anti-malware) that subscribers pay for depend upon being able to see DNS queries. Additionally, service providers fear losing control of service quality as increased latency may result from using a different DNS resolver. Responses to law enforcement requests may also be impaired.
As for subscribers, they just want their communications to be secured and shielded from DNS attacks, and DoH does appear to address their long-standing concerns about malware, intrusions, data theft, and privacy.
A10’s DNS over HTTPS Solution
The DNS over HTTPS standard is still in draft form. It’s early in the process, but discussions are ongoing and the industry is responding rapidly. At A10 Networks, we believe that most operators will eventually offer DoH as an option. Accordingly, A10 has developed a DNS security solution using our carrier-grade Thunder® Convergent Firewall (CFW) that allows ISPs to do so without disrupting their existing DNS infrastructure or investments.
Our DNS security solution was recently selected by a tier-one operator in the Americas looking to ensure that it could continue to be meet its subscribers’ needs as the DNS standard evolves and protect against DNS attacks.
Tier-1 Cable Provider Protects Subscriber Privacy with Encrypted DNS at Scale
The solution helps the carrier ensure the continuity of its existing value-added services and maintain control of service quality. In addition, A10’s DNS over HTTPS solution helps cut costs and minimizes the impact to existing DNS infrastructures. Implemented in front of DNS servers, A10’s solution protects DNS investments while ensuring high performance and low latency. Read the case study to see how A10’s customer deployed a encrypted DNS protocol to protect its subscribers’ privacy and security.