DNS encryption offers some advantages but also brings risks if left to third party providers, according to the agency.
The US National Security Agency (NSA) has published a guide on the benefits and risks of encrypted DNS protocols, such as DNS-over-HTTPS (DoH), which have become widely used over the past few years.
The US cybersecurity agency warns that while technologies like DoH can encrypt and hide user DNS queries from network observers, they also have downsides when used inside corporate networks.
DoH is “not a panacea”
The NSA said that DoH does not fully prevent threat actors from seeing a user’s traffic. Moreover, if companies deploy DoH inside their networks, malefactors can use it to bypass many security tools that rely on sniffing classic (plaintext) DNS traffic to detect threats.
“DoH is not a panacea,” the NSA said, claiming that the use of the protocol gives companies a false sense of security.
Furthermore, the NSA argues that the external hosting puts many of today’s DoH-capable DNS resolver servers outside of the company’s control and ability to audit.
“DoH provides the benefit of encrypted DNS transactions, but it can also bring issues to enterprises,” the agency warned. These include a false sense of security, bypassing of DNS monitoring and protections, concerns for internal network configurations and information, and exploitation of upstream DNS traffic.
“In some cases, individual client applications may enable DoH using external resolvers, causing some of these issues automatically.”
Enterprises should bring DNS services in-house
The NSA urges companies to avoid using encrypted DNS technologies inside their own networks. If that is not feasible, then they should at least use an internal DoH-capable DNS resolver server under their control.
“NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver,” the US intelligence agency said.
“This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information.”