DNS security and why it’s time for change
Master Researcher, Security
Senior Expert, Internet architecture
Master Researcher, Networks
Research leader, Security
Master Researcher, Security
Senior Expert, Internet architecture
Master Researcher, Networks
Research leader, Security
Master Researcher, Security
Senior Expert, Internet architecture
Master Researcher, Networks
Research leader, Security
We all know what a domain name is. It’s that sequence of letters and symbols which appears in the address bar at the top of the browser window. Up until now, this information has largely been visible in queries which are sent to the domain name system (DNS), making it possible to find out what content the user has requested. Thus the risk of on-path attacks and surveillance increases.
However, today, new domain name encryption technologies offer us the opportunity to change that.
The Internet, domains and domain name systems
Before we go into that, let’s begin by looking at the evolving nature of Internet traffic today.
Most Internet connections start with a query to the DNS, which then maps domain names to the corresponding network addresses. One reason we use domain names is because we humans tend to remember domain names much easier than network addresses, which are essentially long sequences of numbers. Network addresses might also change over time if content is moved or dynamically served.
Much of the traffic on the Internet today is increasingly encrypted and destined for a few large networks. The growing emphasis on protecting the privacy of individual users is also changing the needs for security in the DNS space, making it important to protect also DNS queries to avoid leaking information about services being accessed.
Historical challenges to DNS security
New technology allows the queries to be encrypted. However, privacy problems remain with DNS servers themselves, particularly when large numbers of users access the same DNS servers.
Earlier efforts in securing DNS were focused on protecting the validity of the information received from DNS. Given that much of the Internet traffic is encrypted and served by large content delivery networks, domain name information is in many cases the only cleartext indication about the specific service being accessed.
As a result, domain name information has remained visible in DNS queries. Domain names are visible in the setup of an HTTPS connection, as part of the initial, unencrypted information sent in the transport layer service (TLS) protocol.
The visibility of domain names in this manner is problematic, for instance, in open Wi-Fi networks attackers could build profiles.
One way to overcome this is through encryption of the domain name information.
The visibility of domain names can increase the risk of threats, for example, in open Wi-Fi networks
A look at domain name encryption
So how does this work?
Basically, the DNS queries can themselves be run inside an HTTPS connection if the DNS resolver supports a DNS-over-HTTPS (DoH) protocol. An extension of the TLS protocol is under standardization, one that enables the encryption of domain names carried in the setup phase.
These DNS encryption mechanisms are very effective for preventing on-path attacks and surveillance.
Challenges on the journey ahead
The approach of hiding domain name information from the network is not entirely without problems as we need to solve things like access to local names in corporate networks or finding the closest local servers for websites. But we believe these issues can be solved.
While communications security can protect us against outside parties – such as criminals on Wi-Fi networks – it does not protect against malicious or corrupted endpoints that may misuse personal data or not handle it with sufficient care.
For instance, a DNS resolver may be subject to commercial or accidental leaks of user data. They can also be subject to surveillance activities. Sharing personally identifiable information with a potentially untrusted third party remains a problem, even when communication is encrypted and thereby initially restricted to access by one party only.
We must reduce the number of centralized services
Recently, an even more worrying development in the DNS space relates to who performs the DNS queries and where the answers come from.
While traditionally it is the network provider who offers DNS resolution, there are now also a number of content providers that also offer public-facing, global DNS resolvers. These resolvers provide a highly reliable service to their users, but it is also important to be aware that they represent another potential attack target or a source for data.
With the intention to support encryption of DNS, some browsers have started performing DNS queries by default to global DNS services that offer DNS-over-https support. This encapsulates DNS queries into HTTPS as an encrypted channel - a much needed update to the original DNS protocols.
But the selection of DNS services by default contributes to the trend where an increasing number of Internet DNS resolver services are being performed by a small number of entities. The more such central services are used, the higher the impact if any one of these central DNS services were to fail. This may lead to a failure to deliver the name resolution service, potentially blocking web access for some users and even critical services, or data leaks about user’s trail of DNS queries.
One precondition for reducing the need for centralized services is to ensure that encrypted and high-quality DNS query mechanisms are broadly available and easily discoverable. The role of operator networks in providing these services is important.
What happens next?
DNS encryption can improve DNS security and user privacy significantly. However, this is still not enough. As an industry, we also need to ensure that all user data which is exposed to any third parties is handled appropriately. As such, DNS resolver services should be treated as security sensitive services.
Operators will also play an important role. There is a risk that the impact of the deployment model of encrypted DNS services will increase centralization on the Internet. The role of operators in providing DNS services over DoH will continue to be important in maintaining the Internet as a distributed system. We recommend the use of multiple reliable resolver services and recommend against turning the DNS to a centralized service.
Learn more
Read more expert opinions and insights on our telecom security page.
Read the IETF’s protocol for sending DNS queries and getting DNS response over HTTPS.
Learn more about the Internet Threat Model (model-t) Program.
Find out how we can improve the privacy of name resolution through adaptive DNS.
