Users type in web addresses and URLs to reach the websites they’re looking for, but computers and servers don’t speak in domain names like we do. The solution that bridges the gap between users and their network devices is the domain name system (DNS), a networking translator that translates human inputs, or domain names, into IP addresses that network technology can read and use to direct the user.
DNS is used across internet service providers (ISPs) and can be accessed by anyone, but encrypted DNS is growing as a privacy and security solution for enterprise networks that want to obscure user information and queries.
Using DNS Encryption in Enterprise Networks
- What is DNS Encryption?
- How Does DNS Encryption Work?
- The Pros and Cons of DNS Encryption
- What Network Administrators Need to Know
The DNS process occurs when a DNS client, or the user’s device, sends a domain query to a DNS resolver, which scours other servers across the internet to find the IP address that corresponds with that domain name. With traditional DNS, anyone with server access can see the plaintext of an unencrypted domain query as it passes to and from the resolver. This viewability of search terms doesn’t pose a problem in most scenarios, but in enterprise networks, exposed DNS information can do anything from violating the privacy of an employee’s searches to exposing the hypersensitive searches of an executive team (i.e., searches related to a merger or acquisition). The idea behind DNS encryption is to privatize these queries so that no one can maliciously intercept and/or modify the contents of a DNS query.
DNS encryption always occurs via transport layer security, but the two primary methods, DNS over TLS (DoT) and DNS over HTTPS (DoH), differ in their approaches and intended goals.
DNS over Transport Layer Security, or DoT, is the original approach to DNS encryption that focuses on certifying the resolver. Through this approach, the server/resolver hosts a digitally signed certificate that a client can read to verify if it is communicating with the correct resolver. This step in DoT makes it less likely for an impersonator to steal a user’s query information, which is also known as DNS hijacking.
DoT also encrypts the actual contents of each query by embedding them into a secure TLS channel. Before a client’s query can reach a server resolver, the two devices must exchange TLS information, stating that they both agree to follow stated TLS protocols. The client will then receive the server certificate and cross-check it against a local list of approved servers or use other methods to determine the authenticity of the resolver.
TLS can be added onto new ports over time. This gives network administrators some flexibility in building up DoT opportunities. However, it can also pose a problem with existing security infrastructure. A company’s firewall might block the secure DoT query if it attempts to pass through a new port that it doesn’t recognize. If this happens often, it can frustrate your users and cause them to bypass via unencrypted DNS use. There’s also a concern for some users because all encrypted DNS packets pass through Port 853. This means that even though outside users and devices can’t necessarily identify the contents of a query, they can determine that it is a DNS packet, and possibly figure out the search term as a result.
DNS over HTTPS (DoH) was developed in 2018 as a web-based alternative to DoT. The idea behind DoH is to streamline all queries and data packets into the HTTPS stream with all other encrypted web traffic. With this method, individual queries are not encrypted; instead, they all pass through an encrypted tunnel between the client and the server.
With the DoH approach, all queries are formatted the same way, so viewers cannot distinguish between a DNS packet and another portion of HTTPS traffic. This is a relief to users who value their search privacy, but it can be frustrating for network administrators who need to monitor the safety of searches on their network. Malware has been known to travel over HTTPS in many cases, so there’s also the concern that DoH could introduce additional strands of malware and breaches to an enterprise network.
More on Server Security: Establishing Server Security Best Practices
Across both main types of DNS encryption, there are several benefits and drawbacks to consider before implementing either method.
The Pros of DNS Encryption
- DNS encryption acts as a preventive measure against malware and phishing attacks, as well as user errors and typos. This can help to protect against common DNS attacks and hijacking.
- DNS encryption enforces user privacy for your network users, giving them trust in the organization and enabling highly sensitive search queries to be conducted safely.
The Cons of DNS Encryption
- Passive monitoring software and many other types of network security software cannot as easily run through DNS encryption. These tools exist to build up your security infrastructure, but in many cases, they cannot see or stop malware or ransomware passing through DNS encryption.
- Especially with the DoH option, network administrators have less visibility and control over what happens on network devices and programs. Whether it’s a mistake by an employee or malicious intent by a hacker, DNS encryption limits your security team’s abilities to spot security concerns.
More on Encryption: End-to-End Encryption: Important Pros and Cons
DNS encryption is a great way to privatize and protect search queries within your enterprise network, but network administrators need to know a few things about DoT and DoH before they enable these encryption approaches.
DoT tends to prioritize higher levels of security, while DoH is known for emphasizing higher levels of user privacy. Neither one is “right” or “wrong,” but your organization will want to establish additional privacy and security measures to support the solution you choose so that your network isn’t left unnecessarily vulnerable. Here are a few steps that you can take to ensure greater privacy and security across your network:
- Install and use your own protocols or proxies to make DoH more secure.
- Use DNS logging on network devices to increase network visibility.
- Establish and follow a zero trust policy across your network.
- Talk to security vendors and managed service providers who have experience working with and around DNS encryption.
If you’re looking for a private network communications alternative to DNS encryption, many networks instead choose a virtual private network (VPNs). However, while VPNs have a few security advantages over DNS encryption, DNS encryption is the better choice for enterprise networks that are searching for a lower cost and easier to configure solution.
More on VPNs: Understanding VPNs: The Pros and Cons of IPsec and SSL