Adopting DoH/DoT Service for Endpoint Security

This month, we continue the discussion of Domain Name Systems –For the end-user experience, this internet directory finder protocol is good, bad, and downright ugly at times. The issue at hand is how best to optimize DNS while considering all the facets, especially endpoint security.

DNS-SEC Only Protect Servers

Although a majority of DNS servers on the internet are now DNSSEC (DNS Security) compliant, communications between DNS servers are verified using mutual certificate authentication and are secure inside a TLS-encrypted communications tunnel. However, DNSSEC does not extend its security protections to the user’s endpoints.

The economics of protecting the infrastructure (servers) outweighs the need to protect the end users by some degree. The implication is Internet Service Provider is hardened while endpoint communication eavesdropping is still an open issue.  While this has introduced business opportunities for a patchwork of satellite software vendors providing antivirus/cyberattack protection to the end users, let’s face it, it was a raw deal, to begin with.  The inherent issue is DNS security does not extend to the client.

So You Are Being Watched!

Most Internet users don’t know that even if a website is encrypted, it still doesn’t keep the DNS resolver from knowing the identity of all the sites you visit. This means your internet service provider has every WiFi network you’ve connected to, and your mobile network provider has a list of every site you’ve visited while using them.

Being able to trace the end user’s activities, we are good at stopping cyber attacks launched at its participants. At the same time, DNS can be used as a tool of censorship against many of the groups we protect. While we’re good at stopping cyber attacks, if a consumer’s DNS gets blocked there’s been nothing we could do to help.

The DoH/DoT Solutions

We need to disassociate the DNS resolver’s link from all queries to client IP addresses. Fortunately, there are client or endpoint DNS security options available now. The growing adoption of the IETF standardized DNS encryption with DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) is helping to stop onlookers and third-party eavesdropping on the end users.

The DoH proxy uses NAT/PAT to change the source IP address of the requesting endpoint, then forwards the still encrypted query payload to the DoH DNS resolver. As long as the DoH proxy and DoH resolvers are operated by separate entities, the privacy of the queries themselves remains protected.  DNS over HTTPS (DoH) also benefits from TLS encryption and is natively supported in many operating systems, including Android, iOS, MAC OS, and Linux.

DNS over TLS (DoT) is used to encrypt the DNS query transaction using TLS.  This creates a modified and secured DNS protocol that operates over TCP port 853. Normally in traditional DNS, TCP port 53 is used for DNS server-to-DNS server communications, typically referred to as zone transfers, while UDP port 53 is used for DNS queries.  Both protocols prevent queries from being intercepted, redirected, or modified between the client and resolver. Client support for DoT and DoH is growing, having been implemented in recent versions of Firefox, iOS.

We must achieve uniform deployment of DoH/DoT service among all internet service providers to avoid a single point of failure. where private DNS resolvers can still link all queries to client IP addresses.

Conclusion
Armed with the knowledge you can change for the better.  Deploying DoH/DoT service is only a start, DNS filtering will further help protect you from targeted ads, unwanted propagandized info from special groups that eat up your otherwise productive time and talents.