New DNS Transport Protocols will Complicate DNS Monitoring, Dutch NCSC Says

• NCSC says that increased adoption of new DNS transport protocols will make an organization’s security controls ineffective.
• The NCSC recommends organizations to decide on preferred (DNS) resolvers and configure them on devices under the administrative control in order to prevent the potential DNS risks.

What is the problem?

The Dutch National Cyber Security Center has published a factsheet explaining how new DNS transport protocols will make DNS monitoring harder.

• NCSC says that increased adoption of new DNS transport protocols, such as moving to DNS over TLS (DoT) and DNS over HTTPS (DoH), will make an organization’s security controls ineffective.
• This results in negative side effects such as exposing internal resource naming or break connectivity.
• These negative side effects make mitigation at a network level difficult, requiring mitigation at DNS infrastructure and individual devices.

Google and Mozilla’s DOH trials

Google and Mozilla are both running DNS over HTTPS (DoH) trials for their browsers.

• Google’s Chrome browser will upgrade to a provider's DoH server only if it present on a pre-defined whitelist, if not it will shortlist of fallback providers (i.e., Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS, Quad9).
• Mozilla’s experiment to enable DoH by default and to mandate Cloudflare's DoH server instead of a user’s existing DNS provider has already received criticism from network admins and Linux distro maintainers.

“Firefox is about to break DNS by enabling DNS-over-HTTP by default. Once that happens, the browser will ask Cloudflare over DNS for name resolution instead of whatever your sysadmin configures, leaking the names of all the websites you visit to Cloudflare,” Kristian Köhntopp, Senior scalability engineer tweeted.

Mitigations

The NCSC recommends organizations to decide on preferred (DNS) resolvers and configure them on devices under the administrative control

• To mitigate some of these DNS risks, network administrators are advised to decide which DNS resolver is preferred and configure them on all systems under administrative control.
• For devices not under their control, admins will have to mitigate the risks at network-level mitigation for some apps such as Mozilla's Firefox.

“To retain DNS monitoring as an effective measure, it is necessary to make changes to your own DNS infrastructure and endpoints. While centralized DNS monitoring on networks has been feasible up to this point, this centralized approach will continue to decrease in effectiveness over time,” NCSC said.