NSA issues guidance on encrypted DNS usage

The US National Security Agency warns enterprises not to use third-party DNS resolvers

The logo of the National Security Agency in front of the US flag

The National Security Agency (NSA) has issued guidance for enterprises whose users encrypt their Domain Name System (DNS) requests. It’s advised administrators to block external DNS providers supporting a key encryption standard called DNS over HTTPS (DoH).

DoH encrypts requests made using the DNS protocol, which resolves web addresses to IP addresses, so browsers and other software know where to find them. DNS requests are traditionally unencrypted, meaning anyone snooping on a network connection, like a public Wi-Fi hotspot, could monitor someone's browsing habits and hijack their destinations.

DoH encrypts those requests using the same HTTPS protocol that websites use to encrypt and verify browser sessions, blocking snoopers. However, the NSA warns it can provide a false sense of security. 

For example, it only encrypts the initial request, not the traffic sent afterward, meaning a snooper could still detect the IP addresses a victim is visiting and infer their browsing habits that way. 

The agency also warns that the DNS resolver, which serves the DNS request, still decrypts the request to fulfill it.

There’s another danger in using external DNS resolvers that support DoH, the advisory says. Querying them directly bypasses any protections an enterprise DNS resolver has in place, such as filtering malicious websites.

The NSA suggests companies block unauthorized external DoH resolvers and only use their enterprise DNS resolvers when supporting DoH. It also recommends breaking and inspecting any traffic encrypted using TLS to block unauthorized DoH requests.

DoH is likely to gain more traction thanks to increased support from browser vendors. Mozilla launched default DoH support for US users in February 2020, and Microsoft has also tested support using its Windows 10 client.

Last May, the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) warned federal CIOs that they were legally bound to use its internal EINSTEIN network security system for resolving DNS queries, even though it didn’t yet support encrypted requests. However, CISA issued a request for information last year to explore an upgrade to its DNS resolver, which would support DNS encryption.

DoH isn't the only DNS encryption option available. Another, called DNS over TLS, uses the Transport Layer Security mechanism to encrypt DNS requests. 

Oblivious DoH (ODoH), another standard proposed by CloudFlare and Apple, would improve security by introducing a proxy between the client and the resolver to obfuscate request traffic. 

The NSA noted that it didn’t address DNS over TLS or ODoH in its guidance. 

The NSA guidance failed to mention another technology, dnscrypt-proxy. Dnscrypt-proxy is based on the OpenDNS-developed dnscrypt encryption technology, which achieves similar outcomes to ODoH.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Lawmakers signal changes for big tech in antitrust hearings
Policy & legislation

Lawmakers signal changes for big tech in antitrust hearings

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
President Biden and Senator Schumer ready semiconductor supply chain initiatives
Hardware

President Biden and Senator Schumer ready semiconductor supply chain initiatives

24 Feb 2021
Biden pledges to address the growing chip shortage crisis
Hardware

Biden pledges to address the growing chip shortage crisis

12 Feb 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021