In the ever-evolving landscape of cyber security, adapting and innovating are paramount. Yet, some advancements, while promising, can inadvertently introduce vulnerabilities. A notable instance of this is the emergence of DNS over HTTPS (DoH) and its associated cyber security risks in enterprise environments. Initially designed to bolster user privacy and security, DoH, when exploited by malicious actors, can significantly undermine the security posture of an enterprise.
DNS? DoH? What is it all about?
Think of the internet as a vast city, and every website is a building within it. How do you find the exact location (IP address) of your desired website (like ‘google.com’)? You consult the digital directory known as the Domain Name System (DNS).
At its core, DNS is a system that translates human-friendly domain names into IP addresses, which computers use to identify each other on the network. Instead of remembering a complex sequence of numbers like 2a00:1450:400c:0c00:0000:0000:0000:0065, we remember ‘google.com’ and DNS does the heavy lifting.
Traditional DNS queries are akin to sending a postcard—open for anyone to intercept and read where you’re heading on the internet. Moreover, the enterprise or the Internet Service Provider are frequently handling the task of resolving symbolic names into addresses, and have therefore the capability to log your queries. However, DNS over HTTPS (DoH) revolutionizes this process. It encapsulates your ‘postcard’ in a secure envelope, significantly complicating the efforts of snooping eyes to track your internet destinations. To accomplish this heightened security, DoH leverages the secure HTTPS protocol, identically employed to shield your web traffic from prying eyes.
DoH: The Phantom Menace to Enterprise Cyber Security
At its core, DNS over HTTPS (DoH) is designed to improve privacy and security for web users. By encrypting DNS queries within regular HTTPS traffic, it can make one’s online actions more private and secure from eavesdroppers. In a world where online privacy is becoming a cherished commodity, DoH seems like a step in the right direction. But for enterprises, this same encryption presents challenges that can’t be ignored.
Historically, traditional network security measures have heavily depended on monitoring DNS traffic, a critical component in identifying and mitigating DoH cybersecurity risks in enterprise settings. Through this vigilance, enterprises have been able to monitor for suspicious domain requests, block access to potentially harmful websites, and detect malware communication with command-and-control servers. Nevertheless, the advent of DoH effectively conceals these DNS queries, rendering them invisible to the eyes of conventional monitoring tools. What used to be a transparent stream of data now becomes opaque, challenging cyber security tools to differentiate between regular web traffic and potentially harmful DNS requests, thus amplifying the DoH cyber security risks in enterprise environments.
Data exfiltration
One of the gravest risks posed by DoH is silent data exfiltration. In a world of increasing cyber espionage, the value of corporate data has never been higher. Intellectual property, financial data, customer information, and strategic plans are gold for cybercriminals.
With DoH, malicious actors have the capability to stealthily siphon off data. They achieve this by embedding it within encrypted HTTPS traffic, allowing the data extraction to merge seamlessly with standard web traffic. Consequently, this integration makes detection exceptionally challenging, as the malicious activities are cloaked under the guise of normal internet usage.
Malware communication
Just as humans rely on communication, so too do malware and their controllers. Command-and-control servers dictate the actions of malware, from collecting data to launching further attacks. Traditionally, these communications were a weak link, detectable through DNS traffic analysis.
Enter DoH, and the landscape shifts dramatically for cybercriminals, reducing their vulnerability. With this technology, malware gains the ability to communicate with its controller discreetly, its signals encrypted and camouflaged within ordinary web traffic. This development complicates the identification and neutralization of malware significantly, granting the malicious software additional time to wreak havoc or proliferate across an enterprise’s network.
Navigating DoH in Enterprise: The Good and The Risky
Another challenge with DoH is distinguishing between legitimate and malicious use. Not every instance of DoH usage is nefarious. Many modern web browsers have started adopting DoH to improve user privacy. This means that an enterprise might see a surge in DoH traffic simply because of a browser update.
However, amidst this surge, a cybercriminal could be leveraging DoH for malicious purposes. Distinguishing between the two becomes a complex task, requiring advanced cybersecurity solutions and a shift in traditional threat detection approaches.
Bots and Backdoors
One of the primary concerns with DoH in an enterprise setting is its potential exploitation by bots and backdoors. These malicious entities can leverage DoH to establish covert channels, evade traditional DNS-based detection mechanisms, and even exfiltrate sensitive data.
The Undeniable Risk of DoH in Enterprise Security
While DNS over HTTPS (DoH) undeniably enhances privacy for individual users, in the context of DoH cybersecurity risks in enterprise environments, this encrypted domain name resolution method poses a formidable challenge. The veil of privacy it introduces, while beneficial in some contexts, can also be exploited, embodying a double-edged sword for businesses. This prompts a closer examination of the specific cyber security risks associated with the advent of DoH in enterprise settings.
1. Loss of Visibility and the DoH Challenge
The most immediate risk of DoH is the loss of visibility into DNS traffic, a critical component of many security monitoring systems.
Traditional DNS monitoring can detect threats, anomalies, and potential data breaches by analyzing unencrypted DNS queries. With DoH, these queries become indistinguishable from regular HTTPS traffic. Enterprises will find it harder to distinguish between genuine traffic, benign DoH requests, and malicious DoH queries. This blurring complicates threat analysis immensely.
2. The Ineffectiveness of Security Tools Against DoH
Many security tools rely on the transparency of DNS traffic to function effectively.
Firewalls that use domain-based rules to block malicious domains become less effective because they can’t see the actual DNS queries when DoH is used. Tools designed to detect data breaches by monitoring DNS queries for large or suspicious data transfers might miss exfiltration attempts hidden within DoH.
3. Stealthy malware activities
DoH provides a near-perfect conduit for malware to communicate with their command-and-control servers.
Malware and botnets can exploit DoH to clandestinely receive commands or funnel data out, bypassing the traditional DNS-based detection mechanisms. This freedom to communicate via DoH allows malware to evolve in response to defensive measures, download updates, or propagate across the network, thereby extending its presence and amplifying its effects.
4. Under-the-Radar Data Exfiltration via DoH
With DoH, data exfiltration is seamless and almost undetectable.
Sensitive information can be covertly extracted, seamlessly merging with regular web traffic and thereby diminishing the likelihood of prompt detection and response. Given the inherent trust in the HTTPS protocol, this trust can unfortunately be manipulated by malicious actors to smuggle data out undetected and unimpeded.
5. Increased incident response time
In the unfortunate event of a breach or cyber incident, DoH can increase the time taken to identify, understand, and respond to the threat.
The encryption of DNS queries means that detecting unusual or malicious activity can take longer, thereby affording adversaries more opportunity to inflict damage or exfiltrate data. Moreover, without access to transparent DNS data, investigating the origins, scope, and techniques of an attack becomes a more formidable challenge, obstructing prompt resolution and the implementation of effective preventative measures for future security.
6. Misallocation of resources
The presence of DoH can lead to enterprises misallocating their security resources.
Security systems might flag benign DoH traffic as suspicious due to its encrypted nature, leading to unnecessary investigations. With the flood of potential threats due to the inability to discern DoH traffic, security teams might become overburdened, missing out on genuine threats.
7. Policy enforcement challenges
Enterprises often have policies to restrict access to specific websites or services for various reasons, including productivity, bandwidth management, and security.
With the advent of DoH, users gain the ability to circumvent established restrictions, thereby accessing content that has been blocked and possibly introducing security vulnerabilities. Furthermore, in industries subject to strict regulations, the diminished visibility into DNS queries could result in non-compliance with industry standards, potentially incurring penalties or eroding trust.
Mitigating DoH Cyber Security Risks in Enterprise: A Proactive Approach
While DoH poses considerable challenges to the enterprise cyber security landscape, not all hope is lost. Several strategies can be employed to counteract the risks presented by DoH. Let’s delve into these potential solutions.
1. Endpoint DoH control
One of the most straightforward approaches is to disable DoH functionality on all managed enterprise endpoints. Most modern browsers and operating systems that support DoH offer configuration settings to turn it off.
2. Leveraging Deep Packet Inspection (DPI) to Mitigate DoH Threats
By implementing deep packet inspection, enterprises can decrypt and inspect HTTPS traffic, identifying and blocking DoH requests.
NB: while effective, this method might raise privacy concerns, especially if implemented without clear communication to employees about the nature and purpose of such monitoring.
3. Network-level DoH detection
Instead of relying solely on the content of network traffic, enterprises can employ tools that detect anomalies in behaviour patterns. For instance, a sudden spike in HTTPS traffic to a previously unknown domain might be a red flag. This can be combined with real-time threat intelligence feeds to enhance the detection of malicious DoH traffic.
4. External DoH blocking
Although DoH can bypass traditional DNS filters, these filters can still be useful. By maintaining an updated blocklist of known DoH providers and regularly reviewing and adjusting this list, enterprises can mitigate the risk posed by external DoH servers.
5. Employee training & awareness
A significant number of risks can be addressed through user education. By informing employees about the dangers and consequences associated with DoH, as well as clarifying the company’s position and policies on the matter, organizations can strengthen their first line of defense.
Encourage employees to use enterprise-approved browsers and configurations. Offering tools and plugins that prioritize security can also steer employees away from potentially harmful alternatives.
6. Strategic threat hunting
Instead of waiting for threats to manifest, employ cybersecurity professionals to actively hunt for signs of compromise. Regularly searching the enterprise environment for indicators of DoH abuse can uncover hidden threats.
Further readings
Understanding DoH Challenges: A Necessary Step in Improving Network Privacy & Security | CSO Online
DNS-over-HTTPS causes more problems than it solves, experts say | ZDNET
NSA – Adopting Encrypted DNS in Enterprise Environments
Conclusion
In addressing the evolving DoH cyber security risks in enterprise environments, it’s crucial for traditional network security measures to adapt. Historically, these measures have leaned on monitoring DNS traffic to identify suspicious domain requests, block harmful websites, and detect malware communication. Yet, DoH conceals these queries within encrypted traffic, rendering them invisible to standard monitoring tools. What used to be a transparent stream of data now becomes opaque, challenging cyber security tools to distinguish between benign web traffic and potentially malicious DNS requests, thus highlighting the significance of vigilance against DoH cybersecurity risks in enterprises.
Worried about the potential pitfalls of DNS over HTTPS within your organisation? Our team of experts is ready to guide you through understanding these challenges and crafting effective strategies to safeguard your network. Let us help you navigate the complexities of DoH, ensuring your enterprise remains secure without compromising on efficiency. Reach out to us, and together, we’ll fortify your defences against the hidden threats of encrypted DNS queries.
