DNS Security

Often referred to as the “phonebook of the Internet,” the Domain Name System (DNS) is a key network function that translates domain names (e.g., “atis.org”) to the device’s unique numerical IP addresses so that web browsers and other applications can load Internet resources. Because DNS is such a critical network function, its robustness and security are of profound importance. Important changes to the security of DNS protocols are now underway. These will have an impact on all organizations that offer DNS services or depend on features implemented in DNS.

Almost all Internet applications rely on DNS to allow the client to find the required server and obtain other information related to the domain. Currently, a large majority (approximately 80%) of DNS queries in public networks are handled by the user’s Internet Service Provider (ISP). This allows ISPs to use DNS to fulfill operational needs and offer services. In managed private networks belonging to enterprises and other organizations (e.g., schools) users often connect to dedicated DNS services that offer special enterprise services including network security services and private network name-spaces.

Today, most DNS signaling is sent using protocols that do not support security provisions, presenting both privacy and security risks for users. As such, new protocols have been specified that implement cryptographic DNS security and data confidentiality. Support for these is now being introduced in client software (primarily web browsers) and in DNS servers.

These changes in DNS technology and implementation practices are now creating both challenges and opportunities.

The IETF has standardized protocols for the use of encrypted DNS: DNS over HTTPS (DoH) and DNS over TLS (DoT). These technologies can enhance the security of DNS protocol, however, the method for how to deploy and operationalize these protocols is largely undefined. As such, browsers and mobile operating systems are using a variety of different approaches that could dramatically change the Internet architecture and have marked impacts on important DNS-based features. While the use of DoT and DoH can have benefits for user security and privacy, the current piecemeal deployments raise complex issues for many stakeholders. Both organizational and technical responses are needed to address these.

DoT and DoH have similar cryptographic security properties, but the different encapsulation protocols have implications for system design. DoT can give networks some insight into DNS traffic, while DNS over DoH is stealthier and emphasizes privacy (e.g., to cope with environments where the user does not trust the local network).  Although user data is secured in both protocols, network administrators may view this as a network security vs. privacy conundrum.

Despite the fact that the implementation of DNS security protocols can have a range of positive benefits, it can also conflict with important network services that are currently widely implemented based on DNS. These services include techniques to mitigate malware and fulfill legal obligations placed on network operators. DoH has particular security implications as it is designed to be resistant to simple approaches for policy enforcement and monitoring in the network.

A recently released ATIS report, Technical Impacts of DNS Privacy and Security on Network Service Scenarios, describes the technical impacts of DNS security protocols in a range of network scenarios and identifies impacts on systems in three main areas:

  1. The absence of industry norms for how to deploy and operationalize encrypted DNS in servers and clients is leading to the adoption of piecemeal solutions that differ in each implementation.
  2. By selecting their own DNS servers, some clients are disregarding DNS server provisioning information received from the network (e.g., in Dynamic Host Configuration Protocol). These clients can be disruptive to a range of network services, including security and legally required services, that are implemented in ISP and managed private network DNS servers today.
  3. Implementations of network security features (e.g., malware detection and blocking) as well as the implementation of national legal requirements in public networks and network policy controls in managed private networks could be affected. This is because support of confidentiality in DoT and DoH may prevent operation of any network services implemented in “middle boxes” that rely on DNS queries and responses being in clear text.

Technical Impacts of DNS Privacy and Security on Network Service Scenarios presents scenarios that illustrate some of the different contexts in which DNS may be used, with each scenario presenting different considerations for DoT and DoH deployment. These scenarios should be used to guide decision-making by clients and servers deploying DoT and DoH. They can also be used by organizations impacted by DoT and DoH to help formulate their strategy.

The report also contains a set of talking points which ISPs, as well as other parties, can use to communicate about these topics to end users, enterprise network administrators and internal stakeholders. Finally, it provides key recommendations for different stakeholders to encourage collaboration among all stakeholders to create technical standards and best practices for the deployment of DoT and DoH. The goal is to maximize the benefits of DNS security support while reducing problem areas. ATIS’ analysis is a major industry contribution toward achieving this.

Iain Sharp, Principal Technologist, ATIS
Iain Sharp has over 20 years experience in the mobile communications industry and served two periods as vice-chairman of the 3GPP CT Plenary. He is the director of Netovate, an independent consultancy with a mission to provide clients with a commercial advantage through an understanding of communications technology developments, particularly in the standards sphere.