DNS encryption in the enterprise

Encryption and privacy don’t equal security. In fact, in the case of DNS in a corporate environment, it can do more harm than good.

Apr 15th, 2020

In this last post in our security series, we take a quick look at DNS encryption and privacy. As we pointed out in the first post, encryption and privacy don’t equal security. In fact, in the case of DNS in a corporate environment, it can do more harm than good.

But what is encrypted DNS?

Why is DNS encryption important?

DNS was originally designed in 1983. That was <checks calendar> a long time ago. Nobody could’ve foreseen the internet, and just how critically omniscient it would become.

Thusly, DNS was designed with an open philosophy. DNS queries and responses are sent in cleartext because the fundamental idea of DNS is to be open and accessible to everyone. But this spawns several problems in today’s world.

For one, the mission-critical role DNS plays makes it a prime target for exploitation, and its open nature makes it an obvious choice for man-in-the-middle attacks. DNSSEC, that we covered last time, addresses some issues — but doesn’t change the fact that DNS data is transmitted in the open.

In the age of near-constant surveillance, and where personal data is being sold to advertisers (if you’re lucky) and malicious elements (if you’re not), encryption is generally a good idea. Private information, such as what websites one visits, should remain private.

And so encrypting DNS became a prominent effort. The two main approaches that are talked about (and debated) today are DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). Internet companies like Mozilla and Google are advocating mostly for DoH, while prominent developers (such as Paul Vixie) argue for DoT.

We do not want to take sides in the debate, nor do we want to go into too much detail with either approach here either. If you’d like to learn more, we have posts for DoT and DoH to serve as a starting point.

What we do want to talk about here is the impact of encrypted DNS on environments other than the open internet. Meaning: corporate networks.

Encrypted DNS in the enterprise

While DNS encryption, no matter the form, makes a great deal of sense on the internet, it does however create security problems when it comes to corporate networks.

Corporate networks are not designed to be private for the user. They’re not intended to be used for personal use, but as an instrument of business activities. They tend to be closely monitored and regulated, especially if they’re in sectors like military defense or government. Therefore, encrypting DNS traffic is, at best, a hindrance, and at worst, a security issue.

Encrypting DNS means the network operator cannot see the DNS data sent and received. Both DoT and DoH create end-to-end encryption between client and resolver. If there’s a successful attack through DNS (such as cache poisoning), the source of the vulnerability cannot be readily determined.

Also, both DoT and DoH are relatively new technologies. They have not been tested nearly enough to reveal possible shortcomings. DoT is (in)famous for breaking split-horizon DNS (something many enterprise network utilize) and can introduce SNI (Server Name Indication) leaks. DoH doesn’t have as much direct impact, but because adoption is limited, corporate DNS traffic is centralized to a select few (so far) resolvers like Cloudflare or Google.

All in all, DNS encryption creates blind spots in corporate network security. It obscures visibility, or removes it almost completely, and sidesteps efforts to maintain reliable audits.

Encrypted DNS, on the other hand, can also mitigate security concerns. Attackers have fewer vectors to utilize. Corporate network operators need to carefully strike a balance between the protection that encryption can afford and the vulnerabilities it can introduce.

Securing your networks for the future

This concludes our quick adventure into DNS security. We'll come back to these topics again and again, as technology always moves forward, and the needs of our readers and customers always refine what we talk about here.

Do you have a security question you need answered? Or a topic you'd like to know more about? Let us know, we're always listening. Find us on Facebook, Twitter, or LinkedIn.

Coming up: DynDNS is retiring its dynamic DNS, webhop, DNSSEC, and zone transfer services on May 31st, 2020. We'll be showing you how to migrate your DNS data from Dyn to any provider of your choice. Stay tuned!