Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.

The NSA Warns Enterprises to Beware of Third-Party DNS Resolvers

posted by Fnord666 on Saturday January 16 2021, @04:51AM   Printer-friendly
from the don't-talk-to-strangers dept.

Arthur T Knackerbracket has processed the following story:

DNS over HTTPS is a new protocol that protects domain-lookup traffic from eavesdropping and manipulation by malicious parties. Rather than an end-user device communicating with a DNS server over a plaintext channel—as DNS has done for more than three decades—DoH, as DNS over HTTPS is known, encrypts requests and responses using the same encryption websites rely on to send and receive HTTPS traffic.

Using DoH or a similar protocol known as DoT—short for DNS over TLS—is a no brainer in 2021, since DNS traffic can be every bit as sensitive as any other data sent over the Internet. On Thursday, however, the National Security Agency said in some cases Fortune 500 companies, large government agencies, and other enterprise users are better off not using it. The reason: the same encryption that thwarts malicious third parties can hamper engineers’ efforts to secure their networks.

“DoH provides the benefit of encrypted DNS transactions, but it can also bring issues to enterprises, including a false sense of security, bypassing of DNS monitoring and protections, concerns for internal network configurations and information, and exploitation of upstream DNS traffic,” NSA officials wrote in published recommendations. “In some cases, individual client applications may enable DoH using external resolvers, causing some of these issues automatically.”

[...] The answer, Thursday’s recommendations said, are for enterprises wanting DoH to rely on their own DoH-enabled resolvers, which besides decrypting the request and returning an answer also provide inspection, logging, and other protections.

The recommendations go on to say that enterprises should configure network security devices to block all known external DoH servers. Blocking outgoing DoT traffic is more straightforward, since it always travels on port 853, which enterprises can block wholesale. That option isn’t available for curbing outgoing DoH traffic because it uses port 443, which can’t be blocked.

Original Submission

 
This discussion has been archived. No new comments can be posted.
The NSA Warns Enterprises to Beware of Third-Party DNS Resolvers | Log In/Create an Account | Top | 28 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by unauthorized on Monday January 18 2021, @07:52AM

    by unauthorized (3776) on Monday January 18 2021, @07:52AM (#1101920)

    The "someone" is the person forming the DNS request. Whenever an application is directed to communicate with a DNS server on the behest of a user, an implicit DNS message is created. That message contains a statement of intent by the user and therefore a piece of information authored by a sentient being sent to a specific recipient. The response from the DNS server is user-generated data, which you're also not supposed to read without explicit permission.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2