What is DNS-over-HTTPS?
DoH (IETF RFC8484) allows browswers to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Bottom line, DoH hides DNS requests inside the normal deluge of HTTPS data. Currently, Firefox ships with support for relaying encrypted DoH requests via Cloudflare’s DoH resolver. However, users can change the setting to any DoH resolver of choice.
DNS-over-HTTPS the Default for Firefox
According to a recent blog post, Mozilla announced it will be rolling out DoH to US end-users in late September and making it the default resolution path for the browser.
“We plan to gradually roll out DoH in the USA starting in late September. Our plan is to start slowly enabling DoH for a small percentage of users while monitoring for any issues before enabling for a larger audience. If this goes well, we will let you know when we’re ready for 100% deployment. For the moment, we encourage enterprise administrators and parental control providers to check out our config documentation and get in touch with any questions.” Selena Deckelmann, Mozilla
How DNS-over-HTTPS works
The DNS-over-HTTPS protocol works by resolving a domain name from a URL and sending a query to a DNS server to learn the numerical IP address of the web server that hosts the target site. DoH queries a DoH-compatible DNS server (resolver) via an encrypted HTTPS connection on port 443, rather than plaintext on port 53.
Good for Personal Privacy, Increased Enterprise Security Risk
DoH is controversial because it will bypass local network security policies and controls. DoH advocates argue that it makes it harder to block or monitor DNS queries where secure and private access to the Internet is needed. However, DNS is a commonly used method for restricting access to the Internet, mitigating risky user behavior and detecting emerging DNS-based threats. When DoH support is enabled in Firefox, the browser will ignore DNS settings set by network administrators, and use the browser-set DoH resolver.
DoH Based Cyber Threats
Any solution that provide DNS traffic filtering solutions are impacted by the protocol which will act as a firewall bypassing mechanism. DoH will become a common staple in bypassing enterprise security controls. This was recently described by Proofpoint on their update of PsiXBot’s use of Google’s DNS over HTTPS Service and by Netlab’s analysis of the Godlua Backdoor. Unmitigated, users will also be able to change their browser settings to visit restricted websites not accessible before.
Mitigation of DoH Risk
Enterprise security and IT teams will have to use a combination of controls. Admins will have to restrict the ability to configure DoH servers in software and browsers in their control. Organizations will also have to restrict outbound traffic to public DNS resolvers and HTTPs servers that support DoH as listed in the sample below. In a future post, we’ll deep dive into specific examples how to detect and mitigate DoH threats.