Arthur T Knackerbracket has processed the following story:
DNS over HTTPS is a new protocol that protects domain-lookup traffic from eavesdropping and manipulation by malicious parties. Rather than an end-user device communicating with a DNS server over a plaintext channel—as DNS has done for more than three decades—DoH, as DNS over HTTPS is known, encrypts requests and responses using the same encryption websites rely on to send and receive HTTPS traffic.
Using DoH or a similar protocol known as DoT—short for DNS over TLS—is a no brainer in 2021, since DNS traffic can be every bit as sensitive as any other data sent over the Internet. On Thursday, however, the National Security Agency said in some cases Fortune 500 companies, large government agencies, and other enterprise users are better off not using it. The reason: the same encryption that thwarts malicious third parties can hamper engineers’ efforts to secure their networks.
“DoH provides the benefit of encrypted DNS transactions, but it can also bring issues to enterprises, including a false sense of security, bypassing of DNS monitoring and protections, concerns for internal network configurations and information, and exploitation of upstream DNS traffic,” NSA officials wrote in published recommendations. “In some cases, individual client applications may enable DoH using external resolvers, causing some of these issues automatically.”
[...] The answer, Thursday’s recommendations said, are for enterprises wanting DoH to rely on their own DoH-enabled resolvers, which besides decrypting the request and returning an answer also provide inspection, logging, and other protections.
The recommendations go on to say that enterprises should configure network security devices to block all known external DoH servers. Blocking outgoing DoT traffic is more straightforward, since it always travels on port 853, which enterprises can block wholesale. That option isn’t available for curbing outgoing DoH traffic because it uses port 443, which can’t be blocked.
(Score: 5, Insightful) by unauthorized on Saturday January 16 2021, @05:17AM (18 children)
Encryption is bad because the user is in control over their traffic and the powers that be cannot spy or regulate it as easily as unmasked traffic.
In other words, encryption works and we need to rely less on predefined ports as that is a known attack vector for censorious authoritarian dirtbags. Good to know, thanks NSA.
(Score: 1, Funny) by Anonymous Coward on Saturday January 16 2021, @06:43AM (2 children)
If it saves one life, banning encryption is worth it, and if you disagree you're a right wing terrorist.
(Score: 1, Insightful) by Anonymous Coward on Saturday January 16 2021, @07:51AM (1 child)
(Score: 1, Informative) by Anonymous Coward on Saturday January 16 2021, @09:13AM
Cost-benefit analyses are for Republicans.
(Score: 5, Insightful) by maxwell demon on Saturday January 16 2021, @09:10AM (11 children)
In a company, it is reasonable for the company to want to be in control of the destinations of traffic from their network. If you want to connect to sites which you don't want the company know about, just do it from home, or use your phone's internet connection instead of the company network.
Now if ISPs start to block traffic to resolvers other than their own, that would be a different matter, but that's not what the summary is talking about.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by hash14 on Saturday January 16 2021, @03:46PM
I'm not saying whether I'm in favour of DoH/DoT or not. But I do think that solutions like this have always been precarious because of how they depended on DNS being unencrypted when there was no guarantee that it would be beyond the "well, it has always been done that way" rationale. I suppose you could always argue of course that it was the best solution when there were no real good ones, but that's how these situations always end up.
In fact, given how much ISPs love interfering with DNS requests (for multiple decades!), I'm frankly surprised that it took so long for this technology to be established.
(Score: 3, Informative) by unauthorized on Saturday January 16 2021, @03:54PM (9 children)
You can already control outgoing traffic via blocking network addresses. Personally I don't think anyone who provides "internet access" should be able to block IP addresses, but that's a whole 'nother ebate.
DNS traffic however is private communication and not something you have any right to look into. Just because you've been tasked to deliver packets that doesn't make it okay to read people's messages.
If you're providing an internet service to a user you're an ISP.
(Score: 4, Insightful) by fakefuck39 on Saturday January 16 2021, @05:59PM
but no one is talking about the ISP here. they're talking about a laptop given to you and owned by the company, and your "ISP" is your employer. It's their property, it's their laptop, they can install a keylogger on it if they want.
DNS traffic, or any traffic, on a private company's network is not a "private communication" - they have full right to read any packet, and even install a certificate on their computers root store to decrypt the traffic to and from their computer.
the company is not "tasked to deliver packets." you are tasked with a job, and anything related to that job, on company equipment, belongs to the company, not to you.
>If you're providing an internet service to a user you're an ISP
why, because you said so? the company is providing limited, filtered, and monitored internet service, for company business. if you don't like the job, don't take the job.
(Score: 2) by maxwell demon on Saturday January 16 2021, @08:26PM (5 children)
Your employer isn't providing an internet service to you, it is providing you with the means of doing the work you are paid to do, which in modern times usually includes access to the internet. But that access is provided to enable you to do your work, not as a service for you to use however you please.
If you let your friend look up something on the internet using your computer on your home network, are you then also an internet provider for your friend, and have to allow him to do anything he wants on the internet from your computer and network?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by unauthorized on Saturday January 16 2021, @08:50PM (4 children)
Of course not. You can stop your friend of using your computer at any point, however if your friend was to message someone without your consent, that doesn't entitle you to later use his cached login in order to read the contents of his communications. You can close the app, delete the app, ban your friend from using your computer or even from entering your residence, but you cannot read his messages. If someone authors a message and seals it from your eyes, you are not allowed to look in even if they did it using your property and by violating the terms under which you provided them that property. You don't get automatic retroactive rights to every message authored with your tools whenever someone abuses your goodwill.
(Score: 2) by maxwell demon on Saturday January 16 2021, @10:10PM (3 children)
It is news to me that you can use DNS requests to read messages. Are you sure you're not confusing things here?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by unauthorized on Sunday January 17 2021, @08:26AM (2 children)
No, I'm not. The contents of the DNS request is a message, even if the message is just "hey what's the IP address of hostname X".
(Score: 2) by maxwell demon on Sunday January 17 2021, @06:58PM (1 child)
And the DNS server in your mind is someone? I don't know in which world you live, but in my world, DNS servers tend not to be sentient.
Your attempt to retrofit an “actually intended” interpretation to your prior writing is far too obvious to be successful.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by unauthorized on Monday January 18 2021, @07:52AM
The "someone" is the person forming the DNS request. Whenever an application is directed to communicate with a DNS server on the behest of a user, an implicit DNS message is created. That message contains a statement of intent by the user and therefore a piece of information authored by a sentient being sent to a specific recipient. The response from the DNS server is user-generated data, which you're also not supposed to read without explicit permission.
(Score: 2, Insightful) by Anonymous Coward on Saturday January 16 2021, @09:23PM (1 child)
Except that with the CDN plague, domains Evil and Good could both be served from IPs A and B. So if you disallow A & B, you are unable to contact both domains. Or worse, you disallow all used by Good, but not all used by Evil (now also using C & D, eg), so crap still gets thru.
The issue with DoH is serious, and not just for companies but also home networks. Only safe way will be if everything, included HTTPS and thus the DoH requests, gets thru your systems so you can firewall as you please (PiHole, eg), instead of things sneaking out by other means. But hey, webshitheads only understand HTTP(S), so they never thought about fixing DNS safety and privacy for once. And as the DoH is concentrated in a few services (FF defaults to Cloudflare, IIRC), you start to wonder if the intentions are malicious under a fake "this is safer" facade. They can promise all they want about not storing personal data, but the IP metadata will be known to them and be another part in their data collection.
(Score: 1, Touché) by Anonymous Coward on Sunday January 17 2021, @10:31AM
"Start to wonder"?
I can't imagine how some people haven't already realized this by now, but whatever effect is responsible seems unlikely to end just now and let them wake up.
(Score: 5, Informative) by Anonymous Coward on Saturday January 16 2021, @10:38AM
The problem there is, while I agree with the sentiment of what you're saying, they do have a point. For my network, *I* am that 'censorious authoritarian dirtbag', I get asked to do a job, block certain shit, so i do, and it's my network, my rules..and I don't appreciate the likes of Google et al trying to bypass my blocks.
My current DNS setup is that all DNS traffic on my network is transparently redirected to my server, and requests are handled by a copy of dnsmasq, which, in turn, hands over requests to dnscache which talks to external DNS.
Dnsmasq is set up as the primary nameserver for all my .internal hosts, and, more importantly, runs the shitlist, a whole bunch of hosts and domains which it will resolve to various 127.0.0.X numbers depending on the class of shit they peddle and serve these addresses to my internal hosts rather than their real IP numbers.
So, this works quite happily, has done for a while, all sorts of shit is blocked from getting to my internal boxes...visitors remark on how 'advert free' their browsing has suddenly become etc. etc.
Now despite getting the address of the local DNS set from DHCP, for reasons best known to 'the usual suspects' certain of their applications still try resolve host names using 8.8.8.8 and pals directly, trying to bypass the DHCP set resolver..almost as if they'd routines which detected interference in their adslinging and tracking and tried rerouting around it. Nice try, and one which would work on a network without any blocking and redirecting going on.
Then, as they started rolling out DoH, the fun and games really started. As a matter of policy, I block as many of the well-known DoH servers out there as possible (there are a couple of handy lists online) at the firewall, and configured the browsers not to use DoH in the vain hope that they would honour the setting. The funniest outcome of that, so far, has been a copy of Opera on a Linux box bleating on about how it can't resolve a host name, just after it tries resolving the host name and gets a 127.0.0.X IP number back from dnsmasq, and how it now wants DoH switched on to resolve the issue..so, the bastards are detecting the blocking and are trying to get around it by bleating DoH bullshit at the users in the hope that they'll persuade me to allow it (hah!), no doubt after surreptitiously switching on DoH to see if they can try getting around it and finding they cant (must set up a test to confirm/deny that).
Mobile phones are currently the biggest PITA, by the looks of it they now default to using DoH, and only when that fails, do they drop to using DNS, which would explain why I keep getting complaints about it taking several attempts to resolve some website names on the phones, but when I check the DNS logs, they only indicate one (successfully answered) query from the device for the relevant host name.
I don't trust the NSA/GCHQ/FSB/whoever, fine, they don't trust me, they don't trust *anybody*, they're professional paranoid bastards, it's their job to be so, but just because I don't trust them it doesn't mean that I should starr trustIng the likes of Google, Cloudflare and the rest of them, they're not altruists, besides, they're also within the NSA's purview anyway, nice big piles of lovely aggregated and identifiable user data...
(Score: 0) by Anonymous Coward on Saturday January 16 2021, @12:13PM
Perhaps IPv6 should have included more ports instead of having the same number of ports as IPv4?
(Score: 2) by isostatic on Sunday January 17 2021, @02:57PM
I want to be in control of the traffic in my house because
1) I trust my network far more than I trust my devices (printer, tv dongles, phones, etc).
2) I don't want to reconfigre my devices I do trust when I go to another network.
DoH is an attack on that control
(Score: 4, Interesting) by dltaylor on Saturday January 16 2021, @07:53AM (5 children)
I've run a local DNS on my home network for decades (not ready to spend the configuration time, just yet, to switch it over to HTTPS or TLS), because I make enough requests that it just more responsive, plus I can have all of my LAN devices accessible by name.
I'm quite suprised that this is not standard practice in all IT departments. A few dozen, or hundred, PCs making DNS requests is more wasted bandwidth than I could ever justify. It's a trivial part of DHCP to provide the servers' addresses, and the "cookbook" for setting up load-sharing and redundancy is so old I think it may be printed on parchment.
(Score: 5, Interesting) by maxwell demon on Saturday January 16 2021, @09:16AM (4 children)
I guess it is standard practice. But it doesn't help if some end user software ignores the OS-wide DNS settings and decides to connect to whatever the software provider decided.
If you are not aware of that, it may even increase your risk, namely if you configured your OS to use a resolver you trust, but the software decides to ignore that and use a compromised resolver instead (remember, the encryption only protects the transport, not the end point).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Interesting) by Anonymous Coward on Saturday January 16 2021, @10:28AM (3 children)
We already block all traffic without a matching DNS request and the DNS requests themselves are monitored for various things. It has already caught a number of things that got through other layers and the various security groups and agencies love the live reports. As expected, it fully neutered the DoH resolvers in testing as well, even without blacklisting the addresses themselves.
(Score: 0) by Anonymous Coward on Saturday January 16 2021, @06:29PM (1 child)
This is quite interesting to me and I would like to hear more about how you are doing this please. I am not a professional network engineer so this is beyond my knowledge right now.
(Score: 0) by Anonymous Coward on Monday January 18 2021, @02:14AM
I'll try to keep it simple and keep in mind I'm describing the outgoing only. Basically we have a blocklist of IPs that are blocked no matter what, a passlist of IPs allowed if the other requirements are met for transit independent of DNS requests, and then all other addresses not in those two which are default deny unless it is in the state table. Then the DNS server feeds data of the results of resolution mappings, this is transformed into a native firewall object, and that mapping added to the firewall atomically until it expires or other conditions are met. That is a rough picture that leaves out a lot but should give you the basic idea.
(Score: 2) by dltaylor on Sunday January 17 2021, @03:48AM
It sounds like there should be a firewall rule for outgoing connection requests something like "if the address is not in my well-controlled DNS cache, drop the request". If the addresses of the DoH and DoT servers are not cached then the requests should already have been dropped, but if one of the server addresses does get cached, I think it will also require port matching. The tricky bit is if the rogue servers (which I consider them all to be) have some sort of REST-style so that their "normal" HTTPS ports are serving DoH/DoT based on the additional info in the initial request.
Does that sound about right?
Seems to me I need to build my own DoH/DoT server(s) on a test LAN and try to make application code get through to them despite an intervening firewall.
(Score: 1, Interesting) by Anonymous Coward on Sunday January 17 2021, @02:38AM (1 child)
Couldn't you just run a non-authoritative DNS server on your enterprise network that uses DoH to communicate with the other DNS servers? Then you'd still have encrypted DNS but you could also easily see what DNS queries were being made and by who in your logs. Maybe I'm missing something...
(Score: 3, Insightful) by isostatic on Sunday January 17 2021, @02:51PM
The problem with DoH is that it's set at an application level and hard coded.
I as a network operator can't suggest what DNS server to use to a device connecting to my network
I as a network operator and device owner can't intercept traffic from a device I own but don't control
I as an OS operator now have to set DoH on 500 different applications, and change them all depending on what network I'm on
I as an IoT developer now can use easy to use DoH libraries to reduce the control the person buying my device has and don't need to build my own proprietary obscurifier to bypass things like piholes
DoH removes the power from the owners and gives it to the developers.
(Score: 2) by Username on Sunday January 17 2021, @11:01AM
The whole SSL DNS thing was a creation of mozilla and google as a means to ensure revenue by bypass any kind of ad or tracking blockers. I blocked mozilla's dns bullshit which I call "ad tunnels."