DoH and DoT: What They Mean & Should You Care?

Jeremiah Johnson, Principal Network Engineer, October 22, 2019

 

With security and privacy at the forefront of everyone’s minds, from your home virtual assistant to your mobile phone data, internet browsing is no different. All the major browsers continually make changes to ensure your DNS requests remain encrypted.

How Are These Protocols Changing How Internet Traffic is Monitored?

Standard DNS is plain text that can be easily viewed by anyone running a network sniffer, ISP’s, and Big Data collection points. To discourage this, many internet browsers have begun to implement DoH (DNS over HTTPS), which is a relatively new protocol used to perform a DNS (Domain Name System) resolution and relies on HTTPS (443).

This new protocol ensures that DNS lookups are encrypted, which increases user privacy and security by preventing unauthorized parties from eavesdropping on your web traffic.

DoT (DNS over TLS​) is similar to DoH but depends on TLS (Transport Layer Security) instead of HTTPS. This approach works just like DoH but uses a different protocol and port. DoT currently uses TCP 853.

Firefox has already implemented the ability for users to modify their Network Settings to utilize DoH with a recent update.

Google’s Chrome will be pushing this same feature in version 78. The main difference between how the two browsers approach encryption is that Firefox requires a manual adjustment, whereas Chrome (most tech news outlets are reporting) will enable this setting by default. We assume since the Google DNS servers (8.8.8.8 and 8.8.4.4) publicly support DoH and DoT, Chrome will be relying on their own servers to support this new feature.

How Can DoH and DoT Weaken Your Cybersecurity Posture?

Most firewalls rely heavily on DNS queries for proper judgment of traffic flows, including Security Services and Content Filter matching. Standard port blocking won’t help because DoH uses standard HTTPS 443.

This is what happens when your browser requests a website without any advanced DNS settings:

User to Browser: I want www.google.com (Local to the PC)

Browser to DNS: What is www.google.com? (Passes through the firewall in plaintext)

DNS to Brower: 172.217.13.228 (Passes through the firewall in plaintext)

Browser to User: Here is www.google.com, Search away (Local to the PC)

Now, this is what that same search would look like if the browser was running DoH or DoT:

User to Browser: I want www.google.com (Local to the PC)

Browser to DNS: ******************************************* (Encrypted and unreadable by the firewall)

DNS to Browser: *******************************************(Encrypted and unreadable by the firewall)

Browser to User: Here is www.google.com, Search away (Local to the PC)

As you can see above, the browser to DNS and DNS to browser portions of the conversation are now encrypted, and the firewall loses the ability to make a proper judgment on the traffic.

For example, while running DoH or DoT, if a user requests www.espn.com (which is supposed to be blocked within your company content filter policy), the firewall won’t have the ability to “see” the DNS request, which renders your blocking technology ineffective.

While ESPN is a harmless site, less savory or even malicious sites will now also be able to slip through your firewall. If, for example, you are managing a K-12 school, you obviously want to make sure that your staff and students are not able to access sites that host adult or other inappropriate content. These new DoH and DoT protocols undermine your efforts to block inappropriate content because your firewall is now no longer able to see where users are going and could inadvertently let them access blocked content or sites that host malware.

In this scenario, DoH and DoT protocols have subverted one of your first defenses against malware and weakened your overall cybersecurity posture.

What’s Next?

Currently, all major firewall vendors are working hard to develop the best possible solution for managing encrypted DNS traffic. In the meantime, Cerdant has been testing and has developed a working solution to drop the DoH and DoT requests, forcing browsers to utilize their standard DNS protocols.

We believe that DoH and DoT definitely have a place in the cybersecurity realm but, if you are in charge of a company network and need to log, review, report, and make decisions about your network traffic, these protocols can hinder your ability to maintain control.

If you are interested in learning more about DoH or DoT, and how you can block it from your network, please reach out to us so we can discuss this further.