Active using DNS is effective and growing 124% year on year.
Active customers contributing to global distributed intelligence ensuring you stay protected
Protecting Organizations in a World of DoH and DoT
Organizations invest a lot of time, money, and effort in securing their networks. However, one area that often does not receive its due attention is the Domain Name System (DNS). DNS is commonly utilized in many attacks, from malware propagation to data exfiltration. According to Palo Alto Networks Unit 42 threat research, approximately 80% of malware uses DNS to establish a command-and-control (C2) channel.
Since its inception, DNS has largely been unencrypted, but new encrypted DNS protocols that aim to improve privacy are gaining support among leading browser and other software vendors. With this increase in support, enterprise networks will begin to see more encrypted DNS traffic. While this should accomplish the goal of increasing privacy, encrypted DNS traffic that is not properly inspected or prohibited poses a security risk. This leaves many organizations needing to figure out how to protect against threats in a new world of encrypted DNS.
How Does Encrypted DNS Affect My Organization?
Over the last 20 years, most web traffic has moved from HTTP to HTTPS to protect it from prying eyes. DNS is moving to encryption to enhance privacy in much the same way. As we live in a much faster world these days, it’s reasonable to assume that the majority of DNS traffic will be encrypted much more quickly. As evident in the activities of companies like Google, Microsoft, and Mozilla, the adoption of encrypted DNS is already well underway. In fact, it’s highly likely that encrypted DNS traffic is already traversing your network, introducing significant risk. While encryption provides privacy for end-users, the protective nature of encryption can be easily misused to hide malicious activities. Encryption creates a significant blind spot for enterprises, where attackers can infiltrate the network regardless of firewalls or other security capabilities.
How Can Palo Alto Networks Help?
With proper configuration, Palo Alto Networks Next-Generation Firewalls can prohibit the use of the DoH Protocol and are equipped to prohibit or secure usage of DoT Protocol, allowing you to retain visibility and security over all DNS traffic on your network. With DoH, you must decrypt the HTTPS traffic and block DoH to secure it. With DoT, you have the option to decrypt and secure, or simply block. Either way, decryption is critical. In addition, we recommend using our DNS Security subscription to analyze DNS traffic for threats in real time.
Securing Encrypted DNS
DoH and DoT share some traits that purposefully lower the visibility of DNS requests from a given client and the organization as a whole. The protocols foundationally use TLS to establish encrypted connections—over a port not traditionally used for DNS traffic—between the client making requests and the server resolving DNS queries. While privacy from third-party visibility may be desirable, the methods these protocols use to create additional security challenges for organizations wanting to maintain their own visibility into and control over outbound network traffic. As the protocols differ in their implementations, the methods of maintaining organizational visibility and controls will differ by protocol.
DNS, much like email and the web, presents significant security challenges as an internet-facing, flexible protocol that attackers commonly use to penetrate networks, remotely control malware, and steal data through sophisticated exfiltration. Just as with email and web traffic, enterprises must secure DNS traffic with the same levels of visibility, control, and threat prevention. The Palo Alto Networks DNS Security service, when combined with App-ID™ technology in our Next-Generation Firewalls, is uniquely positioned to provide visibility, control, and security for all DNS traffic. With the emergence of encrypted DNS, it is important to maintain visibility and control by following the best practices described in this document.