Mozilla and Google have scheduled to implement DNS-over-HTTPS protocol on their respective browsers, with Firefox already rolling out the feature and for Chrome, it has been scheduled to roll out later this year.

While the DNS-over-HTTPS (DoH) protocol works by altering the normal DNS, which queries are made in plaintext from a given app to the DNS server, using settings on the local operating system received from network provider. But DoH attempts to change all these, as it encrypts the DNS queries, disguised as regular HTTPS traffic and sent to DoH-capable special DNS servers, which then resolve the DNS query and reply back in an encrypted form to the user.

The experts think DoH isn't foolproof in ensuring users' privacy, as actually DoH doesn't prevent ISPs from tracking a user, and it weakens enterprise cyber-security set ups, which in turn helps criminals. And the fact that DoH centralizes DNS traffic to a few DoH resolvers, there's the problem of DoH's impact on DNS ecosystem itself, with the decentralized network of servers, giving way to created new layer of DoH resolvers, which sits on top of existing DNS layer.

The main point against DoH is its impact on enterprises, with system administrators using local DNS servers or DNS-based software to monitor local traffic, which prevent users from accessing non-office related sites, and also minimizes malware domains. As DoH creates a mechanism that overwrites the centrally-imposed DNS settings to allow employees to use DoH to bypass any DNS-based traffic filtering solutions, effectively separating DoH from the operating system's regular settings.

Thus, IT administrators will need to keep an eye on the DNS settings across the various operating systems to prevent DNS hijack attacks, with hundreds of apps running their own unique DoH settings, this will be a herculean task for the administrators.

Additionally, If DoH is widely deployed, bypassing enterprise filters by employees to access blocked content, as traffic to certain malware domains are blocked within the enterprises, will become easy.

Albeit, the security researchers understand the need to protect DNS queries from snoopers, and have recommended DNSSEC and DNS-over-TLS (DoT), which is a similar protocol to DoH, but encrypts the DNS connection rather than hiding the traffic within HTTPS.

Though, DoT have its own disadvantages, but the researchers believe DoT would cause far less problems, and all ISPs deploying DoT will significantly help ensure better privacy and security with the decentralization, while advising companies to look at alternative methods of blocking its outgoing traffic that doesn't rely only on DNS data.

Why Cybersecurity Experts oppose the DNS-over-HTTPS protocol?



Mozilla and Google have scheduled to implement DNS-over-HTTPS protocol on their respective browsers, with Firefox already rolling out the feature and for Chrome, it has been scheduled to roll out later this year.

While the DNS-over-HTTPS (DoH) protocol works by altering the normal DNS, which queries are made in plaintext from a given app to the DNS server, using settings on the local operating system received from network provider. But DoH attempts to change all these, as it encrypts the DNS queries, disguised as regular HTTPS traffic and sent to DoH-capable special DNS servers, which then resolve the DNS query and reply back in an encrypted form to the user.

The experts think DoH isn't foolproof in ensuring users' privacy, as actually DoH doesn't prevent ISPs from tracking a user, and it weakens enterprise cyber-security set ups, which in turn helps criminals. And the fact that DoH centralizes DNS traffic to a few DoH resolvers, there's the problem of DoH's impact on DNS ecosystem itself, with the decentralized network of servers, giving way to created new layer of DoH resolvers, which sits on top of existing DNS layer.

The main point against DoH is its impact on enterprises, with system administrators using local DNS servers or DNS-based software to monitor local traffic, which prevent users from accessing non-office related sites, and also minimizes malware domains. As DoH creates a mechanism that overwrites the centrally-imposed DNS settings to allow employees to use DoH to bypass any DNS-based traffic filtering solutions, effectively separating DoH from the operating system's regular settings.

Thus, IT administrators will need to keep an eye on the DNS settings across the various operating systems to prevent DNS hijack attacks, with hundreds of apps running their own unique DoH settings, this will be a herculean task for the administrators.

Additionally, If DoH is widely deployed, bypassing enterprise filters by employees to access blocked content, as traffic to certain malware domains are blocked within the enterprises, will become easy.

Albeit, the security researchers understand the need to protect DNS queries from snoopers, and have recommended DNSSEC and DNS-over-TLS (DoT), which is a similar protocol to DoH, but encrypts the DNS connection rather than hiding the traffic within HTTPS.

Though, DoT have its own disadvantages, but the researchers believe DoT would cause far less problems, and all ISPs deploying DoT will significantly help ensure better privacy and security with the decentralization, while advising companies to look at alternative methods of blocking its outgoing traffic that doesn't rely only on DNS data.

No comments