DoH, applied across the entire system, helps ensure privacy over DNS requests while maintaining control and visibility into network activity.
While the proliferation of encrypted DNS is being driven by consumer privacy, businesses will want to take notice. Encrypted DNS–also known as DNS over HTTPS, or DoH–obscures internet traffic from bad actors. But it also has the potential to decrease visibility for IT admins whose responsibility it is to manage DNS requests for their organizations. So, what’s the solution? Strangely, DoH.
As previously mentioned, DoH is now the default for Mozilla Firefox. It’s also available in Google Chrome and other Chromium-based browsers. This is a win for consumers, who have newfound control over who can see where they’re going on the internet.
However, by surrendering control over DNS requests to the browser, IT administrators lose the ability to apply filtering to DNS requests. Encrypted DNS that skirts the operating system eliminates the visibility that IT admins need to ensure security for internet traffic on their networks. It also prevents the business from being able to run threat intelligence against DNS requests and identify dynamic malware that could circumvent consumer DoH implementations. This leads to gaps in security that businesses can’t afford.
Staying Ahead of the Curve
There is a way to ensure privacy over DNS requests while maintaining control and visibility into network activity. The solution is to apply DoH across the entire system, not just browser activity. By wresting control over DNS requests from the browser, the agent can instruct Firefox not to engage its DoH feature. The same holds true for Chrome users running DoH. These requests are passed back through the operating system, where the DNS solution can manage them directly. This helps support both filtering and visibility.
An advanced agent will manage DNS requests on the device securely through DoH so the requests go directly to the server with no other entity having visibility into them. At the same time, the agent can apply threat intelligence to ensure requests aren’t resolving to malicious destinations. Admins have visibility into all DNS requests, and the requests are encrypted.
When the agent detects a prohibited resource, it returns the IP address of a block page. So, if there’s a virus on the system and it’s trying to access a command and control server to deliver a malicious payload, it won’t be able to. It also prevents botnets from being able to connect since they also leverage DNS. For any process that requests something from the internet, if it doesn’t get the resource that it’s requesting, it’s not going to be able to act on it.
Privacy Plus Security
The novel coronavirus didn’t start the mobile workforce phenomenon, but it certainly has accelerated it. The traditional perimeter firewall with all systems and devices living behind it no longer exists. Modern networks extend to wherever users connect to the internet. This includes the router someone bought from a kid down the street, as well as the home network that was set up by a consulting company 10 years ago and hasn’t been patched or updated since.
When people open a browser on their home network and go to their favorites, they’re not expecting to get phished. But if they’re resolving to an alternative IP address because DNS is not being managed, is broken or is being redirected, they may be exposed to phishing sites. Enter encrypted DNS as another layer of protection within your cyber resilience portfolio. It starts working against a higher percentage of threats when you stack it with other layers, reducing the likelihood of being infected. It also addresses a blind spot that allows exploits to go undetected.
Privacy is the main driver for DoH adoption by consumers, while business agendas are generally driven by security. As a business, controlling DNS requests allows you to protect both the business and the user. If you don’t have that control and visibility, the user is potentially more exposed. And, if you don’t apply threat intelligence and filtering to DNS requests, a user can more easily click on malware or land on a phishing site.
Jonathan Barnett is a Product Manager for Webroot’s business network solutions. With 20 years’ experience as a Network Engineer and MSP, Jonathan has a deep understanding of both the technical and business challenges of the SMB and MSP market. Jonathan currently leads Webroot’s DNS Protection solution, which he has helped guide and shape since its release in 2017.
This guest blog is part of a Channel Futures sponsorship.