Encrypted DNS, Episode II: Attack of the DoH Clones

Our encrypted DNS webinar, the follow-up to the previous event, has been outstandingly successful. Many thanks to all who registered and joined!

The canary in the DNS mines

To give you a taste of what’s been discussed, let’s talk about canary domains.

Encrypted DNS is an optional deployment, and its adoption has been slow. Not surprisingly, of course, since privacy for DNS queries can often present security concerns for corporate networks. The balancing act between privacy and security (and security by privacy) is delicate. But how do network services know when to use encrypted DNS, and when to fall back to Do53. (DNS-over-53, the standard, unencrypted DNS protocol. Because more acronyms were needed in our space.)

Back in the day, miners used birds, canaries most notably, to check for dangerous buildups of carbon monoxide and other gases in the tunnels. These gases, being odorless, posed a threat to human life, but by observing the birds, workers can ascertain if they were safe. If the canaries fainted or died, the miners knew it was trouble. (Birds have more rapid breathing and higher metabolism than humans.)

Thankfully this practice has ended in the mid-80s, but the concept has lived on. In DNS, a ‘canary domain’ is a domain that the DNS server will try to resolve; if it succeeds, encrypted DNS can be used, but if it fails with a known error response, the server will know it should fall back to unencrypted Do53.

Learn more about encrypted DNS

Much more was said in our hour-long webinar, and given the tremendous interest, we decided to open it up to the world.

Visit our webinar page to register your details, watch the video recording, and get useful resources about encrypted DNS.