DNS has been around since 1983 and has worked brilliantly at resolving all internet domain requests for both IPv4 and the newer IPv6 address spaces. However, DNS was not built with privacy or security in mind, as it communicates all requests in clear text.
To make DNS more secure for users, the new DNS over HTTPS (DoH) protocol encrypts the requests using the same HTTPS encryption used when connecting to a secure website. All the major web browsers are beginning to support DoH, but this incredible privacy enhancement can also bring some security drawbacks.
What exactly is DNS over HTTPS (DoH)?
DoH is an initiative to prevent eavesdropping and manipulation of DNS request data by third parties, whether for malicious purposes, governmental control, or commercial reasons. DoH adds encryption to these requests, thereby hiding them from prying eyes and ensuring the privacy and security of the overall connection.
Why is DoH a problem for IT security?
Adding privacy can come at a cost. From a security perspective, the rapid adoption and usage of DoH could blindside security administrators and prevent them from extracting useful cybersecurity information by monitoring and analyzing their DNS request traffic logs.
Additionally, some applications can be configured to use DoH directly. As this bypasses the system’s configured DNS server, it presents issues with filtering and accuracy of the DNS requests.
How does Webroot
DNS Protection handle DoH?
If all DNS requests are encrypted, then admins can lose considerable visibility and control in terms of web filtering security. When applications are capable of making DNS requests independently, it defeats the value of web filtering by circumventing the in-place protections. To correctly leverage the advantages of DoH, every DNS request on a must be passed via DoH, applications must be prevented from making rogue DNS requests, and filtering and logging must be maintained.
With our latest enhancements, Webroot DNS Protection now combines the privacy benefits of DoH with the security benefits of DNS-layer protection powered by Webroot BrightCloud Web Classification intelligence. Our service leverages the advantages of DoH by encrypting and managing the DNS requests for the entire system, and then securely relaying these requests via DoH to the Webroot resolvers. This way, admins retain control of DNS and are able to filter and log, while the user and business benefit from the additional privacy and security.
What DoH Can Really Do
A DNS filtering service that accommodates DNS over HTTPS (DoH) can strengthen an organization’s ability to control network traffic and turn away threats. DoH can offer businesses far greater control and flexibility over their privacy than the old system.
Where can I learn more?
Check out our new DoH resources for more info:
- Console DNS and SAT Product Bulletin - October 2020
- Press Release: New Webroot DNS Protection Delivers Privacy and Security
- Product Bulletin: DNS over HTTPS (DoH)
- Datasheet: Webroot DNS Protection (attachment below)
- FAQ: Webroot DNS Protection and DoH Privacy and Security (attachment below)
- White Paper: Make DNS over HTTPS (DoH) Work for You (attachment below)
- [blog]: DoH Is Here to Stay: Why Businesses Should Embrace It
- [blog]: What DoH Can Really Do