Upcoming Web Browser Changes May Put Your Company At Risk
Constant changes to the internet mean standards must be updated or created as needed. The primary organization responsible for forging internet standards is the Internet Engineering Task Force, IETF. Recently, IETF approved two new methods for encrypting DNS traffic to improve the privacy and security of DNS lookups. These are DNS over HTTPS or DoH and DNS over TLS or DoT.
Why should you care?
Both DoH and DoT may be able to bypass the technologies you currently use to accomplish some of your organization's security and compliance goals.
How might your company’s security be at risk?
At this time, most DNS traffic is based on commonly understood and unencrypted traffic. Many organizations use DNS filtering methods and services to perform basic web content filtering and security. This DNS filtering depends on the known and unencrypted nature of DNS traffic. In addition, many firewalls and UTM devices have the capability to perform reputation lookups and hostnames carried in DNS queries. Based on the gathered information, firewalls are able to approve or block traffic based on the reputation of IP addresses and hostnames. These methods, amongst others, have been incredibly helpful in increasing the security and productivity postures of organizations.
While both DoH and DoT will encrypt DNS queries, DoH is the most concerning of the two. DoH uses TCP port 443. This TCP port is standard in encrypted web browsing making web filtering services incapable of separating DoH queries from other encrypted web browsing. DoT on the other hand, uses a specific and relatively unused TCP port of 853. This means we can easily block TCP port 853 at the perimeter if we want to prevent DoT with little or no collateral damage. However, DoH is another story, as most, if not all users at an organization require secure web browsing (HTTPS), so blocking that traffic at the perimeter is next to impossible.
Developers are beginning to build DoH functionality directly into their applications, which has the capability of bypassing the DNS settings configured by your I.T. department. While many of your usual applications probably don't have this functionality yet, some very important ones already do. Both Chrome and Firefox web browsers are in the process deploying DoH. What does this mean? Both of these web browsers have the potential to bypass your I.T. designated DNS servers, and query their preferred servers directly. As this traffic is both encrypted and bypassing your internal DNS infrastructure, it is not subject to the policies and protections your organization has put into place. This includes your DNS based content and security services and some reputation based Firewall and UTM protections.
Why did the IETF create these new standards?
Currently, standard DNS lookups are not encrypted. Due to the unencrypted nature it is possible for your DNS lookup to be seen by others as it traverses through multiple servers. This means that ISPs, governments, or even people on the same public WiFi as you can see which websites or services you are utilizing. In addition, threat actors can manipulate DNS traffic to purposely send you wrong information, known as "DNS hijacking". By encrypting DNS traffic, DoH and DoT make that kind of surveillance and manipulation much more difficult. Unfortunately, the same features of DoH and DoT that are great for end user privacy may also complicate enterprise security by hiding information used by some common web filtering and security solutions.
What can you do?
Thankfully, it appears both the Chrome and Firefox browsers will have configuration options to disable DoH (see links below for Firefox). In addition, you can utilize egress firewall rules to block well known DoH providers (link to a list of providers below). You can also utilize an egress firewall policy to block TCP port 853 traffic to prevent DoT. And if you haven't already, you may want to consider blocking standard egress DNS queries (TCP and UDP port 53) from anything but your trusted internal DNS infrastructure, such as your domain controllers, firewall/UTM, or DNS filtering proxies.
Resources:
Disabling DoH on Firefox
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
via GPO
https://support.mozilla.org/en-US/kb/customizing-firefox-using-group-policy-windows
via Canary Domain
https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
List of well known public DoH and DoT providers
https://en.wikipedia.org/wiki/Public_recursive_name_server
References:
Deckelmann, S. (2019, September 6). What's Next in Making Encrypted DNS-overHTTPS the Default. Retrieved from https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/
Internet Engineering Task Force (2018, October). DNS Queries over HTTPS (DoH). Retrieved from https://tools.ietf.org/html/rfc8484