Last week, we spoke about the ongoing battle for internet privacy with the rollout of the new DNS-over-HTTPS (DoH) protocol. DoH encrypts the traffic between a browser and a DNS provider, ensuring that when you type a URL into your browser, it is resolved to the correct IP address. Both Mozilla and Google have been moving forward with their plans to implement DoH via their Firefox and Chrome browsers more widely in tandem with some notable DNS providers like Cloudflare and Google. Microsoft also recently announced plans to adopt DoH in future Windows 10 versions.
In one of the latest stages of this saga, Google has stepped forward to make some clarifications about how Google Chrome users’ privacy and security are actually affected by the implementation of DoH.
First, Google says that users of Chrome will not be forced to go through Google’s DNS, nor any other DoH-compliant DNS server. Thus, users remain free to choose their own DNS provider, even if that provider doesn’t support the DoH protocol. DNS pioneer and Farsight Security CEO Dr. Paul Vixie praised Google since this means that “Chrome is only speaking DoH to servers the user has already selected.” For Dr. Vixie, that’s one point for Google.
The second point that Dr. Vixie gives Google is for granting businesses and schools the ability to block any traffic in their network that attempts to connect to a DoH service. Since Google offers DoH over certain stable addresses, network administrators can block these addresses at the firewall level.
This greatly alleviates the security concerns that businesses should have over the loss of visibility into DNS requests made from their networks with the DoH protocol. Security operation centers (SOCs) require oversight and intelligence about DNS requests that could otherwise become easy conduits of malicious activity hidden behind DoH encryption.
In fact, ZDNet reported in July on the first malware – a Linux botnet called Godlua – ever seen to use the DoH protocol to hide its DNS traffic to perform a DDoS attack. Then BleepingComputer reported on a new sextortion module update to the PsiXBot malware allowing it to contact hardcoded command and control (C2) domains with DNS requests delivered via DoH.
For SOC teams that rely on global threat data feeds to help detect malicious activity, visibility right down to the DNS level is crucial. Businesses that leverage ESET Threat Intelligence (ETI) or other threat intel sources to gather as many indicators of compromise (IoCs) as possible certainly recognize that this provides the intelligence that their defense teams need to protect their corporate networks and thereby prevent financial losses.
[You can also read about Whalebone’s quality test of ETI’s IoC feeds here.]
Finally, Google clarified that users who opt to use DoH will still be able to apply any parental control features that their DNS providers offer. This is the case, for example, with CleanBrowsing, which will continue to offer the same feature set for content control in both its encrypted and unencrypted DNS resolution services.
Google’s efforts to step up the privacy and security of online users with DoH, while respecting their freedom of choice for an unencrypted DNS service, is exemplary. “I would like @mozilla mozilla to do DoH in firefox the way google is doing it in chrome; and i would like @cloudflare to announce a set of blockable IP addresses for their DoH servers, as google is doing,” tweeted Dr. Vixie. For more information on Dr. Vixie’s views on the importance of operating one’s own local DNS resolution servers, you can read his Dark Reading article, Benefits of DNS Service Locality.
Related WeLiveSecurity Articles:
- Internet pioneer Dr. Paul Vixie on global internet security
- Escalating DNS attacks have domain name steward worried
- DNS attacks: How they try to direct you to fake pages