DNS over HTTPS (DoH) and other encrypted DNS protocols like DNS over TLS (DoT) & DNS over QUIC (DoQ) enhances user privacy and security by encrypting DNS queries in transit, shielding them from eavesdropping, tampering, and censorship on untrusted networks. This prevents ISPs and local attackers from logging or manipulating domain resolutions, fostering a more trustworthy internet experience.

However, a key setback is that conventional application of encrypted DNS causes network defenders—such as enterprise admins or parental controls— to lose visibility and enforcement over DNS traffic, undermining their ability to apply Protective DNS rules, block malicious domains, or monitor for threats.

The status-quo response to this problem is to attempt to block DoH services to regain the security control of PDNS, and sacrifice the security value of DoH in the process. This is in some cases very hard to do and stealthy malware goes to great extreme to not be detected when using DoH as C2 channel.

The good news is that the use of a local Zero Trust Resolver could allow defenders to have the benefit of using DoT, DoH & DoQ while maintaining complete control over DNS policy enforcement.

The focus here is on a gateway-level approach which means no modification to endpoint devices’ DNS needs to be made.

For starters, let’s use simple Do53

In the case where an endpoint attempts to use a non-assigned DNS resolver, let’s use this example in a lab on my macOS environment. Encrypted DNS is offered opportunistically via DDR:

davidredekop@mbpro ~ % cat /etc/resolv.conf |grep nameserver

nameserver 10.53.10.1
davidredekop@mbpro ~ % netstat -nr | grep default

default            10.53.10.1         UGScg                 en6     
davidredekop@mbpro ~ % dig TYPE64 _dns.resolver.arpa

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7915

;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:

;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: N


[...]
Content was cut in order to protect the source.Please visit the source for the rest of the article.



This article has been indexed from  Security Boulevard


Read the original article: 


Preventing DNS filtering bypass by Encrypted DNS (DoT, DoH, DoQ)


Share this:

				Click to share on Facebook (Opens in new window)
				Facebook
			

				Click to share on X (Opens in new window)
				X
			

				Click to share on LinkedIn (Opens in new window)
				LinkedIn
			


	Related

For starters, let’s use simple Do53

Read the original article:

Share this:

Related

Post navigation