How Encrypted DNS Protects Organizations

Encrypted DNS enhances security, mitigates DNS spoofing attacks, and protects online privacy. Learn about the two main forms of Encrypted DNS, DNS-over-HTTPS (DoH) and  DNS-over-TLS (DoT).

DNS queries translate human-readable domain names (like www.example.com) into IP addresses that computers use to communicate with each other. Hackers have abused DNS (Domain Name System) in many different ways such as swapping out an organization's legitimate global DNS records for malicious ones, causing internet users or even an organization's own employees to be redirected to attacker controlled websites. Some other ways attackers abuse DNS include using it for Distributed Denial of Service (DDoS) attacks against publicly accessible DNS servers, and even leveraging the fact that many firewalls inherently trust DNS traffic to smuggle data out of the network, known as DNS tunneling. 

DNS spoofing attacks (aka Cache Poisoning) are common when attackers have a man-in-the-middle (MiTM) position on a victim. In DNS spoofing attacks, the attacker simply replaces the IP address of the victim's DNS request, causing them to visit a malicious website instead of the legitimate site. In this article we will look at how encrypted DNS protocols prevent these otherwise trivial forms of DNS attack and also protect users' privacy online.

More About DNS Spoofing Attacks

Man-in-the-Middle (MiTM) based DNS attacks, also commonly referred to as DNS hijacking, DNS spoofing, or DNS redirection, are a type of cyber threat that intercepts and manipulates the communication between a user and the internet. These attacks can have far-reaching consequences for both individuals and organizations. 

The attack starts when the attacker abuses unencrypted DNS to redirect the victim to a website they control. If an attacker has access to a stolen or forged SSL/TLS certificate from a compromised certificate authority, DNS spoofing attacks can render the browser URL bar's security indicator useless by displaying a verified connection to a website that is actually controlled by an attacker. Not only can this allow the attacker to phish credentials to critical resources, but they can also directly launch attacks against the user's web-browser trying to exploit a zero-day vulnerability. 

You need to be sure that your DNS request is resolving accurately. Services can monitor the DNS records to detect when they have been modified without authorization, but encrypting DNS traffic is a much stronger way to protect yourself from DNS spoofing attacks.  

What is Encrypted DNS And How Does It Protect You?

Encrypted DNS is a cybersecurity feature designed to enhance online privacy and security.  DNS spoofing attacks are only possible because the DNS protocol does not inherently offer authentication or encryption allowing an attacker free reign to modify the contents of DNS request packets. This exposes users to various security risks, including eavesdropping, data interception, and MiTM attacks.

Encrypted DNS addresses these concerns by encrypting the query data between the user's device and the DNS server including some form of authentication to ensure the DNS request is being fulfilled by a trusted service, not a malicious hacker. This ensures that only the intended recipient, usually a secure DNS resolver, can decrypt and process the DNS query. The key benefits include:

• Privacy Protection: Prevents third parties from viewing your DNS queries, thereby safeguarding your browsing history from ISPs, network administrators, nation-states, and any other potential eavesdroppers with network access.

• Security Enhancement: Reduces the risk of DNS hijacking and spoofing attacks, as encrypted queries are protected from MiTM manipulation and redirection.

Types of Encrypted DNS

There are two primary types of encrypted DNS protocols DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). Both protocols provide encryption and validation, ensuring that DNS requests and responses are secure and authentic, but they differ in implementation and how they blend with other internet traffic.

• DNS-over-HTTPS (DoH): Integrates uses HTTPS to deliver DNS requests, leveraging the SSL/TLS encryption and authentication of HTTPS to secure DNS queries. DoH uses the same port as regular HTTPS traffic (port 443). SSL/TLS potentially supports mutual authentication between the client and DNS server; however, in typical DoH implementations, only the server (DNS resolver) is authenticated by the client (user's device making the DNS resolution request). The server presents a typical X.509 certificate to prove its identity, and the client verifies this certificate against known trusted certificate authorities (CAs).

• DNS-over-TLS (DoT): Encrypts DNS queries using the Transport Layer Security (TLS) protocol, but without using HTTP. DoT operates on its own port (port 853), differentiating it from regular HTTPS traffic. DNS-over-TLS (DoT) also uses TLS for encrypting DNS traffic. Similar to DoH, the standard implementation of DoT typically involves the client authenticating the server via TLS certificates. 

Conclusion

In summary, Encrypted DNS is a critical cybersecurity measure that shields organizations from DNS attacks and ensures online privacy. Encrypting DNS queries, prevents unauthorized access and manipulation, which is crucial for mitigating DNS spoofing and hijacking. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are the primary encrypted DNS protocols, each offering robust security and privacy features while differing in their implementation and integration with internet traffic. These protocols are essential for maintaining the integrity of DNS requests and safeguarding against the vulnerabilities inherent in unencrypted DNS.