Webroot and DNS over HTTPS (DoH): Improving Privacy and Security
DNS is designed as an address book. It allows internet connected devices the ability to lookup domains, such as www.webroot.com, and connect to their corresponding resources. These resources are how we work with the internet via websites to send email, connect to applications, stream videos, download pictures and even make phone calls!
Since its inception 35+ years ago, DNS has scaled to hold over 335 million domains that act as the gateways to billions of URLs. As farseeing and brilliant as DNS is, it was built around performance and scalability. Privacy and security were not a consideration.
By simply looking at organizations’ or individuals’ DNS requests, it can easily be determined how the internet is being used, from what and when websites are browsed, applications accessed, and even what devices are connected to/from your network. And, since each of these requests are not encrypted (nor the DNS source verified) clear text DNS not only exposes how the internet is being used, but also the integrity of the responses to those requests are easily compromised too.
What is DNS over HTTPS (DoH)?
DNS over HTTPS is specifically designed to address the fundamental privacy and security limitations of DNS by leveraging the HTTPS protocol your browser already uses when connecting to a secure website. With DoH enabled, DNS requests are sent via encrypted HTTPS, securing the connection request between you and your verified DNS provider.
How does DoH improve Privacy and Security?
Privacy is improved as encrypted DoH requests ensure your requests are not easily monitored or intercepted, and you have the added assurance that only your DNS provider of choice is aware of these DNS requests.
Likewise, security is improved by encrypting your DNS requests. Not only does this verify that the DoH DNS resolver specified is the one providing resolution, but that the requests themselves are protected, and it ensures that they have not been altered or compromised.
What’s the catch?
DoH manages DNS requests directly, and accordingly circumvents the configured DNS resolver provided by your network. For example, if a device is making DNS requests for a domain which hosts known Botnet or Malware sites, it would be important to have visibility of that traffic to make security decisions.
When these DNS requests are DoH encrypted your network logs no longer provide visibility into what DNS requests are occurring and by which device.
Further, many companies now add DNS filtering security to their networks, such as Webroot’s own domain based Webroot DNS Protection service. This service ensures when a DNS request is made for domain in a blocked category such as Malware, it will not provide the corresponding resource, but instead report and warn the administrator and/or user of the threat.
Losing the ability to filter DoH DNS requests and report on them can therefore weaken overall network security!
What are Webroot doing about DoH?
DoH is a logical evolution for DNS as it improves user and network privacy and security. However, many of our Clients are understandably concerned about the potential loss of visibility, reporting and the ability to filter all DNS requests made within their environments.
So, starting January 1st. 2020, Webroot DNS Protection will automatically categorize all DoH and DNS over TLS (DoT) domain requests under our Proxy Avoidance and Anonymizers URL category. By default, all DoH and DoT requests will automatically blocked as a security risk.
Webroot is actively working to ensure that in future DoH doesn’t weaken privacy or security. And, that applications that manage DNS requests through DoH, such as internet browsers, are accommodated through canary domains, by filtering the DNS requests necessary to establish the DoH connection, or simply by configuring DNS so that DoH is not available.
As DoH and DNS continue to evolve, so will Webroot DNS Protection, to allow all the Privacy and Security benefits of DoH, without giving up the security advantages of filtering and reporting.