On October 31, our Chief Strategy Officer, Andrew Wertkin, and Farsight Security CEO and Internet pioneer, Paul Vixie, joined forces to discuss where they see DNS going. In the “DNS over HTTPS and Beyond” webinar, they cover the power of DNS, the challenges businesses face today, and the controversial DNS over HTTPS (and what it means for enterprises).
Here are three takeaways from the insight-packed webinar.
1. Do not outsource your recursive server.
Paul is a massive advocate for bringing recursive name servers inside your network. And not just for corporate networks but personal home networks too. Why is that? He highlights the control and visibility that’s surrendered when your recursive server sits outside your network perimeter. (For more best practices, check out our DNS Infrastructure Deployment guide)
An internal recursive server allows network operators to enforce local policies, cache query results, and most importantly, gather and analyze data from the network in a centralized manner. This is also referred to as telemetry analysis. Being the ‘first hop’ onto a network is advantageous, but only when it’s internal.
It’s a beneficial point of control for you then it is also beneficial to bad actors. When the recursive server is left in the hands of others, it allows for third party monitoring. Even if your company isn’t a target, your Internet service provider (ISP) may be. That means your traffic can be visible to others. This also makes your network vulnerable to “various types of DNS cache poisoning attacks,” such as spoofing IP addresses or altering DNS records.
Plus, Paul points out that, “there are too many ways to run this inside, and keep control, and have the power of your own fate in your own hands.”
Most quotable moment: “I never miss an opportunity to tell people, run your own recursive name server. I think if I had gotten run over by a truck, that’s probably what my family would have chiseled onto my gravestone, to run your own recursive name server.” – Paul Vixie
Jump straight to the discussion at 20:43.
2. DoH creates a new class of exfiltration risks
DNS over HTTPS, or DoH, has sparked many discussions lately. One major argument this proposed IETF standard (RFC 8484) has created is that DoH greatly compromises security for enterprises. Paul supports this claim too.
When DNS traffic goes through the HTTPS port, it becomes completely indistinguishable from web traffic, or as Paul said, “paints us all with the same brush.” It is this lack of visibility where the trouble happens. Consider a CISO who wants to use DNS as a strategy to protect their network. Or consider a network team who need to block or sinkhole traffic. With DoH, that’s not possible.
Since DoH changes the security perimeter and controls that were once possible with conventional DNS, this a potential vulnerability that bad actors can exploit. Paul’s biggest concern is “every botnet from now on is going to be coded to use DoH.” That will cause headaches for everyone in a company’s IT organization.
Most quotable moment: “What we’ve done here is to create a new class of exfiltration risk that we can expect every intruder whether hardware, software or [meetware 00:56:41] is going to be using “ – Paul Vixie
Jump straight to the discussion at 46:58.
3. Businesses will need to digitally strip search everyone before leaving the building
From the takeaway above, we know that DoH presents major challenges for security. Enterprises cannot afford to ignore these new vulnerabilities. But, as Paul described, the security protocols to supplement DoH will need to be invasive in order to be sufficiently secure, which he does not support.
To address the lack of visibility, all HTTPS traffic will need to be forced through a proxy server. Paul explained that the proxy’s purpose is “basically strip searching everybody as they try and leave the building in digital terms” in order to ensure all traffic complies with corporate policy. It’s an invasive measure compared to most standards.
An argument for DoH is the privacy it offers by encrypting DNS traffic. In an enterprise context, however, DoH in practice may eliminate user privacy. Current standards or policies focus on blocking unauthorized access, which means only ‘bad’ user activity is often flagged. Since DoH encrypts all DNS traffic, network operators may need to decrypt and analyze all traffic to determine what is safe for their network and what’s not.
While the general public will certainly benefit from the anonymity that comes with DoH, it’s a challenge for businesses. This has the potential to shift corporate culture towards a surveillance-centered approach, whether businesses or their employees want it or not.
Most quotable moment: “That’s not going to be possible once the world is using TLS 1.3 with encrypted SNIs and that means it’s going to have to be an explicit proxy, probably socks. Or it could be an HTTPS proxy and you’re going to have to force all of your outbound HTTPS traffic through an explicit proxy. Basically strip searching everybody as they try and leave the building in digital terms just to make sure that you are in compliance with corporate policy.” – Paul Vixie
Jump straight to the discussion at 54:12.
Critical conversations on critical infrastructure
Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.
BlueCat’s DDI Adaptive Plugins and Applications help IT teams better leverage ServiceNow, Ansible, Microsoft, and more
A growing suite of Adaptive Plugins and Applications will help automate existing BlueCat capabilities along with adjacent customer technologies.
BlueCat Overlay for Microsoft
With BlueCat Overlay for Microsoft, get visibility into Microsoft DNS and DHCP servers by relaying information back to your BlueCat Address Manager server.
With the ServiceNow Adaptive Plug-in, enable self-service IT requests with automated fulfillment, such as hostname and IP address provisioning.
Discovery & Visibility
Discover cloud resources to integrate into the BlueCat platform, get updates in near-real-time, and automatically build DNS records and new target domains.