The US National Security Agency has advised organizations to avoid third-party resolvers and employ only their designated DNS resolvers for DNS traffic in order to protect internal networks. The warning comes in the form of a guide describing the benefits and risks of encrypted DNS protocols, such as DNS-over-HTTPS (DoH).
“The enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked. However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure,” the agency said.
“DoH is not a panacea. DoH does not guarantee protection fr om cyber threat actors and their ability to see wh ere a client is going on the web. DoH is specifically designed to encrypt only the DNS transaction between the client and resolver, not any other traffic that happens after the query is satisfied. While this allows clients to privately obtain an IP address based on a domain name, there are other ways cyber threat actors can determine information without reading the DNS request directly, such as monitoring the connection a client makes after the DNS request,” the advisory warned.
According to the NSA, DNS over HTTPS (DoH), can be exploited by malicious actors if it's not properly deployed in a company. The enterprise DNS resolver may be either an enterprise-operated DNS server or an externally hosted service.
While DoH protects DNS traffic between a client and a DNS resolver from unauthorized access, it can also bring issues to enterprises, including a false sense of security, bypassing of DNS monitoring and protections, concerns for internal network configurations and information, and exploitation of upstream DNS traffic.
The NSA recommends enterprise network administrators to disable and block all other DNS services besides their organizations' dedicated ones, block unauthorized DoH resolvers and traffic, utilize host and device DNS logs, consider a VPN for additional privacy protection, and validate DNSSEC and use protective DNS capabilities.