Most of you have probably heard about encrypted DNS (DNS-over-HTTPS or DoH, and DNS-over-TLS or DoT) and have noticed that several of the major browser vendors have rolled out support for these newer protocols. You may have even thought, “Hey, that sounds like a great way to help ensure the privacy of computer users.” And we would agree: encrypted DNS does provide a convenient way for computer users to mask the names and IP addresses of the hosts they are looking up, and can also help prevent tampering with those mappings in transit. Although encrypted DNS comes with some severe limitations—for example, when that same computer user actually goes to VISIT the site they just looked up, the IP address is still revealed—it still does help elevate the overall level of privacy for users at home.
But what about at the office? Some of you may have heard about or even read the NSA report on this topic, and might be wondering if the NSA’s advice (which essentially boils down to: don’t use encrypted DNS) applies to you. Maybe you don’t even run your own DNS server, so why would you care? Well, we’ll try to answer that question in this blog post.
First, we just need to describe quickly how DNS is intended to work. With normal DNS, the responsibility for resolving a hostname to an IP address is offloaded from the application level to the operating system level. This means that all the app needs to know how to do is to ask the OS, “What does this name resolve to?” and all the details of resolution—which DNS resolvers to use, what to do if an answer isn’t found, etc.—is the OS’s problem. Imagine if you had to configure each app separately to specify a DNS resolver! The OS can also cache results, so that if many apps are trying to visit the same sites, the process is accelerated.
Well, when folks decided to start encrypting DNS traffic, I guess the operating system vendors were a little too slow—so the browsers went ahead and did it themselves. This now means that the major browsers can be configured to circumvent the normal OS-driven DNS resolution, and will reach out on their own to an encrypted DNS provider to resolve addresses. This also means the browser needs to handle that configuration, fallback, caching, and all the other aspects of DNS resolution. It would seem the browsers are now unnecessarily taking on this complexity, but in the absence of OS support perhaps this makes sense.
But there’s another problem: many companies that provide security for devices owned and operated by the company rely on protecting DNS as a first line of defense. VIPRE’s Endpoint Security provides this type of security right out of the box: if an application attempts to look up a hostname, that hostname (and its associated IP) is first checked against a cloud-hosted repository of every known bad website in existence, data that is kept accurate up to the minute. With VIPRE’s solution, this check takes place right on the endpoint, by intercepting the OS’s DNS query and potentially blocking it if the host is indeed malicious. But VIPRE is not alone in this: many other vendors provide protected DNS services that companies rely on to keep their users safe.
When a browser is configured to use encrypted DNS, however, this type of protection breaks down: the encrypted DNS query, by its very nature, CANNOT be intercepted or observed by VIPRE or any other protected DNS service. This waters down the security provided by such products and can expose users to malicious content. Not only that, but the privacy benefits the user might think they are getting are really illusory in an office environment; encrypted DNS is useful to hide what sites you are visiting from your ISP, but unless the user is really worried about their employer snooping on them, it doesn’t provide that benefit at the office.
It is for this exact reason the NSA recommends that businesses that provide any sort of DNS service, including something like VIPRE’s DNS Protection, should disable encrypted DNS (which can be done via Group Policies for most browsers) and block access to known encrypted DNS providers for systems inside the company network. Doing so should improve the overall level of protection for the organization, and should not impact the privacy of any employees in any way they didn’t agree to in their employment contract. VIPRE agrees with this strategy, and recommends to all business customers that encrypted DNS should be discouraged from use within the company.
P.S. If a user enables encrypted DNS in their browser, does this mean they are no longer protected against malicious websites? Thankfully, no; the DNS Protection aspect is just the first layer of security. Even after the website is resolved, all its content will be inspected by VIPRE’s browser plugins, which will block known bad hosts and URLs, and look for common exploits in the actual web page and associated scripts. And even beyond that, if a page starts behaving badly, VIPRE’s Advanced Active Protection will observe the malicious behavior and block the process. All that being said, it’s even better to just block the malicious site before it even loads.
By David Corlette