Understanding DNS Over HTTPS

0
202
Understanding DNS Over HTTPS

Dit bericht verscheen eerder bij FOSSlife

Besides the common routing protocols, the Domain Name System (DNS) is one of the longest serving infrastructure protocols on the Internet. As the number of participants on the jointly developed Internet (initially ARPANET and later NSFNET) began to grow, the manual overhead involved in maintaining the hostname file (/etc/hosts) exploded. The first draft defined in RFC882 and RFC883 turns 40 next year.

Fortunately, traditional attacks such as DNS spoofing and cache poisoning are practically impossible today. DNS has seen several enhancements since its introduction, which retrospectively reflects a good design that is obviously extensible in many directions. The problem now is the unmanageable number of top-level domains, country domains in different languages that use different character sets, DNS over TCP for particularly large queries and responses, and many other major and minor extensions. Most resolvers now secure their queries to the authoritative name servers with DNS security extensions (DNSSEC) and other technologies to avoid receiving undesirable spoofed responses.

DNS also forms the basis for protecting many other application protocols today: The main examples are HTTP for issuing certificates for web access and SMTP for securing email communication with DMARC.

Privacy and Manipulation

Whereas DNS itself has become significantly more secure, the unencrypted route between clients and resolvers is left as an attack vector for hackers and snoopers. The data is routed by the User Datagram Protocol (UDP) without protection. One issue that has not yet been fully resolved is the privacy of DNS requests. Clients also need to be able to trust the resolvers to deliver correct responses – think protection against cache poisoning and censorship – and to keep client data confidential, or preferably not store the data at all.

DNS requests map users’ web activity in a fairly accurate way and are therefore an open invitation to abuse: whether in the form of DNS server operators storing queries and reselling them for advertising purposes, or providers messing around with the unencrypted data flowing through their networks. The most important argument in this discussion is therefore trust, which raises the question of trusting or mistrusting your own Internet provider; associations that provide protection against censorship or offer data protection; or large DNS providers such as Cloudflare, Google, or Quad9. Quad9, by the way, deliberately filters DNS responses to protect users against malicious domains that propagate malware or phishing.

Even if the provider of the DNS resolver were trustworthy, communication with the provider would still be unencrypted, which is why different protocols protect the connection between client and server. As early as 2016, DNS over TLS (DoT) was defined as a protocol that secures name resolution requests with TLS over TCP. Therefore, the requested domain is only visible to the DNS server to which the request is addressed. To compensate for potential speed disadvantages, the TCP connection is kept alive after the request and reused for the next request. Communication is routed through port 853 and is encrypted on the network, but recognizable as DNS traffic through the port.

DNS over HTTPS

In addition to DoT, another encryption method, DNS over HTTPS (DoH), was launched. Released in 2018, the protocol is designed to protect user privacy extensively, going even further than DoT. The DNS request is sent by HTTPS to a web server that operates a matching API. Most implementations let you choose between different response types. The most commonly used examples are probably application/dns-json and application/dns-message. The curl utility lets you see at the command line how a query appears:

curl -s -H ,accept: application/dns-json' "https://cloudflare-dns.com/dns-query?name=linux-magazine.com&type=A" | jq .

The jq here makes for nicer output formatting, the -s suppresses the status output for curl, and -H specifies the Accept header and chooses JSON output in the request. I used the Cloudflare DNS server for this example. Of course, you can choose an alternative server depending on your preferences. When using application/dns-message, the server expects a Base64-encoded message that is equivalent to a classic (binary) DNS query. The response is again not so pretty for viewing on the console; it contains binary data to match the request.

Secret DNS Requests

Because DoHs are ordinary HTTPS requests, they are also indistinguishable on the outside. If a web server provides both web page content and DoH, name resolution queries can no longer be distinguished even on packet filters or firewalls unless you also examine the TLS connections there.

Therefore, external DNS sources can be used behind restrictive firewalls, possibly bypassing active DNS filters. Firefox already made DoH the default for users in the US on Cloudflare servers in 2020. You can enable DoH in the browser settings if you like and can also enter an alternative server.

When you enable DoH in your browser, the system’s settings are preserved as a fallback because DoH does not work if, for example, you are in a hotel behind a captive portal. Name resolution by DNS will normally work, but HTTP(S) connections are blocked until you log in. By the way, you might experience problems even with DoT if the redirect to the captive portal relies on DNS hijacking.

DoH also can be used to attack corporate networks. JavaScript and dynamic queries (Ajax) allow queries to an internal DoH server for gathering additional information about the corporate network. The appropriate CORS headers in the DNS server responses could prevent this attack. Today, many companies use client DNS queries in their monitoring to check for malware infestation, for example. Such mechanisms can no longer be easily used with DoH if the malware of the future also implements DoH against standard servers from Google or Cloudflare.

DoH in Everyday Operations

The popular DNS servers already offer DoH interfaces. If you forward the requests from a proxy web server, you can hide them in your normal HTTPS traffic. Moreover, the classic HTTP Authenticate methods for authenticating clients before they use the DNS server do not work. To implement a modicum of protection for your DoH server, you can adapt the URL for the request. In fact, this allows your HTTP proxy to then address different back-end servers based on the URL and return filtered responses for some users.

Conclusions

The entire Internet communication is built on the DNS system, yet the tried-and-tested service by no means receives the attention it deserves. DoT and DoH change the outlook. This article provides insight into how DNS over HTTPS works. In this case, too, innovation has two sides; you will need to assess the advantages and disadvantages of DoH on individual merit. Common software tools such as web browsers already support it.

Therefore, it is up to you to decide whether to continue using your provider’s DNS service, whether encrypted or unencrypted, or whether to switch to a provider with a clear focus on data protection, possibly even including malware protection. As an administrator, you will definitely want to keep an eye open for potentially hidden DoH traffic on your network.

This article originally appeared in ADMIN magazine and is reprinted here with permission.

Dit bericht verscheen eerder bij FOSSlife

Vorig artikelWorking with Mastodon
Volgend artikelCMA deepens probe into VMware-Broadcom merger over concerns it could hike server prices in UK