NSA warns against using DoH inside enterprise networks

The NSA urges companies to host their own DoH resolvers and avoid sending DNS traffic to third-parties.
Written by Catalin Cimpanu, Contributor
dns-over-https DoH
Image: ZDNet

The US National Security Agency has published today a guide on the benefits and risks of encrypted DNS protocols, such as DNS-over-HTTPS (DoH), which have become widely used over the past two years.

The US cybersecurity agency warns that while technologies like DoH can encrypt and hide user DNS queries from network observers, they also have downsides when used inside corporate networks.

Also: Best VPNs • Best security keys

"DoH is not a panacea," the NSA said in a security advisory [PDF] published today, claiming that the use of the protocol gives companies a false sense of security, echoing many of the arguments presented in a ZDNet feature on DoH in October 2019.

The NSA said that DoH does not fully prevent threat actors from seeing a user's traffic and that when deployed inside networks, it can be used to bypass many security tools that rely on sniffing classic (plaintext) DNS traffic to detect threats.

Furthermore, the NSA argues that many of today's DoH-capable DNS resolver servers are also externally hosted, outside of the company's control and ability to audit.

NSA: Use your own DoH resolvers, not from third-parties

The NSA urges companies to avoid using encrypted DNS technologies inside their own networks, or at least use a DoH-capable DNS resolver server that is hosted internally and under their control.

Moreover, the NSA argues that this same advice should also be applied to classic DNS servers, not just encrypted/DoH ones.

"NSA recommends that an enterprise network's DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver," the agency said.

"This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information.

"All other DNS resolvers should be disabled and blocked," the security agency said.

CISA issued a similar warning last year

But the NSA is not alone in its cry for caution about encrypted DNS, such as DoH, but also its counterpart, DoT (DNS-over-TLS).

In April last year, the Cybersecurity and Infrastructure Security Agency also issued a directive asking all US federal agencies to disable DoH and DoT inside their networks due to security risks.

CISA told agencies to wait until its engineers would be able to provide an official government-hosted DoH/DoT resolver, which would mitigate any threats of sending government DoH/DoT traffic to third-party DNS providers.

The NSA advisory also comes after Iranian cyberspies have been seen using DoH to exfiltrate data from hacked networks without getting detected.

Further, free tools released on GitHub have also made it trivial to hijack encrypted DoH connections to hide stolen data and bypass classic DNS-based defensive software.

Editorial standards