PC PORTAL

Experienced. Trusted. Solutions.

dns protection

By

The NSA Wants Businesses to Use DoH. Here’s What You Need to Know.

Most people would categorically agree that increased privacy online is a good thing. But in practice, questions of privacy online are a bit more complex. In recent months, you’ve likely heard about DNS over HTTPS, also known as DNS 2.0 and DoH, which is a method that uses the HTTPS protocol to encrypt DNS requests, shielding their contents from malicious actors and others who might misuse such information. It can even address several DNS-enabled cyberattack methods, such as DNS spoofing or hijacking. On the other hand, obfuscating the content of DNS requests can also reduce admins’ visibility and control, as well as negatively affect business network security.

Ultimately, this DNS privacy upgrade has been a long time coming. While its creators’ original 1983 design has undoubtedly proven itself by scaling to meet the demands of today’s internet, privacy just wasn’t a consideration 38 years ago; thus, the need for DoH.

“Privacy just wasn’t a consideration 38 years ago; thus, the need for DoH.”

When weighing the obvious privacy and security benefits against the visibility and potential security drawbacks, some businesses are having difficulty managing these new protocols. That’s likely why the NSA recently released a guide that not only explains the need for DoH, it strongly recommends that businesses protect their networks from rogue DNS sources to improve their network security. But what their guide doesn’t really focus on is how.

Correctly managing encrypted DNS can be very challenging. According to Jonathan Barnett, Webroot sr. product manager and DNS security expert, here’s what businesses need to know about the NSA’s guide and how to successfully embrace DoH.

What does the NSA guide recommend?

The NSA supports the privacy and security improvements DoH provides. However, they also recommend that DNS be controlled, which may leave some admins scratching their heads.

“The enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked.”

What does the NSA caution against?

The NSA specifically warns about applications that can make DNS requests for themselves. Previously, if an application needed DNS, it would ask the local system for the resolution, ideally following whatever configuration the admin had set. These requests would then be sent to the network DNS resolver. This process provides a wealth of information to the network, helping with visibility in the case of a malware attack, or even in the event of a user accidentally clicking a phishing link.

With DNS encryption like DoH, this visibility not only disappears, but now DNS itself becomes incredibly difficult to control. The real challenge comes in as DoH hides the DNS requests using SSL, just as your web browser does when connecting to your online banking website. With this method, DNS requests appear as regular website traffic to most firewalls and networks, and can’t be identified by them as legitimate or malicious.

What other challenges should I consider?

DoH is fairly early in its adoption and only a few applications currently use it, though adoption will continue to grow. In North America, Mozilla Firefox uses DoH for DNS resolution by default. Other browsers, such as Google Chrome and Microsoft Edge have also begun to support DoH, though their default behavior will not enable DoH on most business networks.

Worth noting is that Microsoft itself has yet to support DoH on their DNS servers, so enforcing the NSA’s recommendations may be somewhat difficult. Additionally, as DoH traffic runs on port 443, just like a secure connection to a website, it is not easily regulated or blocked. You can’t just block port 443 at your firewall either, as this action would also block all secure websites. You could block some of the known DoH providers, but as with any new technology solution, more DoH resolvers appear daily.

How does Webroot address security with DoH?

The Webroot® DNS Protection agent already secures DNS requests by using DoH for all of its communications and leverages the power of Webroot BrightCloud® Threat Intelligence to identify and block alternate DoH connections. Our DNS Protection solution also includes an option to echo all DNS requests to your local resolver, so it maintains visibility into the DNS requests being made, leaving intact the powerful information provided by DNS.

Essentially, with a solution that works like Webroot DNS Protection, you still get the power of DNS filtering while also benefitting from DoH encryption. This protection secures remote and on-site users, devices, and networks, effectively fulfilling the NSA’s recommendations.

The post The NSA Wants Businesses to Use DoH. Here’s What You Need to Know. appeared first on Webroot Blog.

By

What DoH Can Really Do

Reading Time: ~ 3 min.

Fine-tuning privacy for any preference

A DNS filtering service that accommodates DNS over HTTPS (DoH) can strengthen an organization’s ability to control network traffic and turn away threats. DoH can offer businesses far greater control and flexibility over their privacy than the old system.

The most visible use of DNS is typically the browser, which is why all the usual suspects are leading the charge in terms of DoH adoption. This movement has considerable steam behind it and has extended beyond just applications as Microsoft, Apple and Google have all announced their intent to support DoH.

Encrypting DNS requests is an indisputable win for privacy-minded consumers looking to prevent their ISPs from snooping on and monetizing their browsing habits. Businesses, on the other hand, should not easily surrender this visibility since managing these requests adds value, helping to keep users from navigating to sites known to host malware and other threats.

Here are three examples of how.

1.  By enhancing DNS logging control

Businesses have varying motivations for tracking online behavior. For persistently troublesome users—those who continuously navigate to risky sites—it’s beneficial to exert some control over their network use or even provide some training on what it takes to stay safe online. It can also be useful in times of problematic productivity dips by helping to tell if users are spending inordinate amounts of time on social media, say.

On the other hand, for CEOs and other strategic business units, tracking online activity can be cause for privacy concerns. Too much detail into the network traffic of a unit tasked with investigating mergers and acquisitions may be unwanted, for example.

“If I’m the CEO of a company, I don’t want people paying attention to where I go on the internet,” says Webroot DNS expert Jonathan Barnett. “I don’t want people to know of potential deals I’m investigating before they become public.”

Logging too much user information can also be problematic from a data privacy perspective. Collecting or storing this information in areas with stricter laws, as in the European Union, can unnecessarily burden organizations with red tape.

“Essentially it exposes businesses to requirements concerning how they’re going to use that data, who has access to it and how long that data is preserved” says Barnett.

By optionally never logging user information and backing off DNS logging except when a request is deemed a security threat, companies maintain both privacy and security.

2. By allowing devices to echo locally

With DoH, visibility of DNS requests is challenging. The cumulative DNS requests made on a network help to enhance its security as tools such as SIEMs and firewalls leverage these requests by controlling access as well as corelating the requests with other logs and occurrences on the network. 

“Let’s say I’m on my network at the office and I make a DNS request,” explains Barnett. “I may want my DNS request to be seen by the network as well as fielded by my DNS filtering service. The network gets value out of DNS. If I see inappropriate DNS requests I can go and address the user or fix the device.”

Continuing to expose these DNS requests through an echo to the local network provides this, while the actual requests are secure and encrypted by the DNS protection agent using DoH. This option achieves the best of both worlds by adding the security of DoH to the security of the local network.

3. By allowing agents to fail open

DNS is instrumental to the functionality of the internet. So, the question is, what do we do when a filtered answer is not available? By failing over to the local network, it’s assured that the internet continues to function. However, there are times when filtering and privacy are more important than connectivity. Being able to choose if DNS requests can leak out to the local network helps you stay in control by choosing which is a priority.

 “Fail open functionality essentially allows admins to make a tradeoff between the protection offered by DNS filtering and the productivity hit that inevitably accompanies a lack of internet access,” says Barnett.

Privacy your way

The encryption of DoH enables options for fine-tuning privacy preferences while preserving the security benefits of DNS filtering. Those that must comply with the needs of privacy-centric users now have control over what is revealed and what is logged, while maintaining the benefits of communicating using DoH.

Click here to read related blogs covering the transition to DNS over HTTPS.

The post What DoH Can Really Do appeared first on Webroot Blog.

By

10 Ways a Commercial DNS Filtering Service Improves Your Cyber Resilience

Reading Time: ~ 3 min.

If you’ve landed on this blog, then there’s a good chance you’re already aware that DNS is undergoing a major overhaul. DNS 2.0—aka encrypted DNS, DNS over HTTPS, or DoH—is a method for encrypting DNS requests with the same HTTPS standard used by numerous websites, such as online banking, to protect your privacy when dealing with sensitive information display.

While there’s no doubt that DoH offers incredible privacy benefits, it also has the potential to be a major security risk for businesses. That’s because DoH effectively wraps DNS requests in encryption protocols, which prevent traditional DNS or web filtering security solutions from being able to filter requests to malicious, risky, or otherwise unacceptable or inappropriate websites.

Although some DNS filtering solutions are now making moves to modernize, many of them simply provide the option to either allow or block all DoH requests, rather than offering any sort of nuanced control.

“That’s really where Webroot® DNS Protection differs from the competition,” says George Anderson, product marketing director at Webroot, an OpenText company. “Ours is currently the only DNS security product that lets businesses fully leverage DoH and its privacy benefits. Our solution encrypts data using HTTPS to route DNS requests through secure Webroot resolvers to prevent eavesdropping, manipulation, or exploitation of data.”

How a Commercial DNS Filtering Service is a Game Changer

According to George, the cyber resilience benefits of using a private, commercial DNS security service that fully supports DoH are numerous. When we asked him to narrow down to his top 10, here’s what he had to say.

  1. First, it provides a very secure, reliable, multi-point of presence connection to the internet with high availability.
  2. Second, trusted DNS resolvers process ALL of your internet requests—we are talking any user, server, or application using the internet with a single, tamperproof choke point for admin and policy request controls.
  3. Third is confidentiality. It keeps your organization’s internet requests private and invisible to malicious actors, your ISP, and so-called “free” DNS resolvers—all of whom can abuse this data.
  4. It then gives your organization full visibility and log access to all of your internet traffic requests, allowing for security analysis and management through reports or ingestion via a SIM/SIEM.
  5. With Webroot, you also get transparent security policy filtering of both encrypted (DoH) and clear text (DNS) requests.
  6. Webroot BrightCloud® threat intelligence data automatically applies the latest and most accurate internet domain security in real time to every outbound request, regardless of source, meaning we stop the majority of malicious and suspicious request responses that could have led to a breach.
  7. A commercial service also provides the flexibility to manage internet access for guest/public WiFi networks, IP address ranges, user groups down to individual user, and lets you filter using a wide range of domain categories.
  8. In the context of WFH, if the user is connected to the internet via VPN or a local DNS agent on their device, then a DNS filtering solution protects them no matter where they connect.
  9. Also, from a WFH perspective, you need your DNS security service to integrate with the majority of VPNs and work easily with your other security and network technologies.
  10. Lastly, and definitely key your organization, a commercial DNS security service can offer great visibility into internet usage with scheduled executive reporting that lets you oversee internet use, assist with HR initiatives, and help ensure compliance.

As DoH continues to grow in adoption, George advises all businesses to be proactive about their cyber resilience strategies. Particularly as more work is conducted outside of more traditional office settings, it’s critical to understand and embrace the value that a flexible cloud gateway—whose protection is not confined to a physical network—can offer.

“Ultimately, in a world where many companies continue to support remote workers, businesses really can’t afford not to use a filtering solution that provides both privacy and security control.”

– George Anderson, product marketing director at Webroot, an OpenText company

Learn more about Webroot’s answer to DNS filtering or take a free trial of Webroot DNS Protection here.

The post 10 Ways a Commercial DNS Filtering Service Improves Your Cyber Resilience appeared first on Webroot Blog.

By

DNS is on the Verge of a Major Overhaul

Reading Time: ~ 4 min.

One of the things about working in internet technology is nothing lasts forever… [Students] come to me and they say, ‘I want to do something that has an impact 20, 50, or 100 years from now.’ I say well maybe you should compose music because none of this technology stuff is going to be around that long. It all gets replaced.” -Paul Mockapetris, co-inventor of the domain name system (DNS)

As foresighted as he may have been, the DNS inventor Paul Mockapetris got one thing wrong in a retrospective interview about his contribution to internet history. Namely, some aspects of technology do have at least 20-year staying power. In this case, his own invention: the domain name system.

But DNS, just three years shy of its fortieth birthday, is on the cusp of a major reimagining. One that could enhance the privacy of business and private users alike for some time to come. According to some experts, it may even be worthy of the title “DNS 2.0.”

The Problem with DNS Today

While DNS has evolved significantly in the more than 35 years since originally conceived, the skeletal structure remains much the same. DNS is the internet’s protocol for translating the URLs humans understand into the IP addresses machines do.

The problem is that this system never meant to consider privacy or security. With DNS today, requests are made and resolved in plain text, providing intrusive amounts of information to whomever may be resolving or inspecting them. That is most likely an internet service provider (ISP), but it may be a government entity or some other source. In authoritarian countries, governments can use this information to prosecute individuals for visiting sites with outlawed content. In the United States, it’s more likely to be monetized for its advertising value.

“The problem with DNS is it exposes what you’re doing,” says Webroot product manager and DNS expert Jonathan Barnett. “If I can log a user’s DNS requests, I can see when they work, when they don’t, how often they use Facebook, the Sonos Speakers and Google Nests on their network, all of that. From a privacy perspective, it shows what on the internet is associating with me and my network.”

This can be especially problematic in terms of home routers. Whereas business networks tend to be relatively secure—patched, up-to-date, and modern—”everyone’s home router tends to be set up by someone’s brother-in-law or an inexperienced ISP technician,” warns Barnett. In this case, malicious hackers can change DNS settings to redirect to their own resolvers.

“If you bring a device onto this network and try to navigate to one of your favorite sites, you may never wind up where you intended,” says Barnett.

In the age of COVID-19, it’s becoming an even bigger problem for employers. With a larger workforce working from home than perhaps ever before, traditional defenses at the network perimeter no longer remain.

“To maintain resilience,” says Barnett, “companies need to extend protection beyond the business network perimeter. One of the best ways to do that is through DNS protection that ensures requests are resolved through a trusted resolver and not a potentially misconfigured home network.”

DoH: The Second Coming of DNS

In response to these concerns, DNS over HTTPS (DoH) offers a method for encrypting DNS requests. Designed by the Internet Engineering Task Force, it leverages HTTPS privacy standard to mask these requests from those who may seek to use the information improperly. The same encryption standards used by banks, credit monitoring services, and other sites dealing in sensitive information display to prove their legitimacy is also used with DoH.

It does this by effectively ‘wrapping’ DNS requests with the HTTPS encryption protocols to ensure the server you connect with is the server you intended to connect with and that no one is listening in those requests, because all the traffic is encrypted.

“It makes sure no one is messing with a user by changing the results of a request before it’s returned,” says Barnett.

In addition to improving privacy around device usage—remember any internet-connected device needs to “phone home” occasionally, therefore initiating a DNS request—DoH also addresses several DNS-enabled attack methods. This includes DNS spoofing, also called DNS hijacking, whereby cybercriminals redirect a DNS request to their own servers in order to spy on or alter communications. By encrypting this traffic, it essentially becomes worthless as a target.

So, while the domain name system has served the internet and its users well for decades, the time may have come for a change.

“The creators of DNS, in their wildest dreams, imagined the system may be able to accommodate up to 50 million domains. We’re at 330 million now. It’s amazing what they achieved,” says Barnett. “But DNS needs to evolve. It’s been a great tool, but it wasn’t designed with privacy or security as a priority. DoH represents the logical evolution of DNS.”

Toward A DoH-Enabled Future

Several major tech players, like Mozilla with its Firefox browser, have already made the leap to using DoH as its preferred method of resolving requests. Many companies, however, would prefer to retain control of DNS and are concerned about applications making independent rogue DNS requests. Losing this control can compromise security as it limits the ability of a business to filter and process these requests.

As application creators strive for better privacy for their users and business always look improve security, a balance must be found. By limiting whether applications can enable DoH, Webroot® DNS Protection has designed its agent to retain control of DNS requests, and while also running each request through Webroot’s threat intelligence platform, both privacy and security is improved.

It’s next release, expected in the coming months, will be fully compatible with the new DoH protocol in service to the security and privacy of its users.

The post DNS is on the Verge of a Major Overhaul appeared first on Webroot Blog.

By

DNS Protection Gets Major Updates

Reading Time: ~1 min.

Our most recent release of the DNS Protection agent provided customers with added features and enhancements designed to improve the overall product experience and its capabilities delivered to end users. We revamped the network detection functionality to improve accuracy and speed for roaming and off-site clients who frequently change networks.

We also addressed a variety of small bug fixes and performance improvements, such as SSL certification installation on Firefox Quantum and improvements to the agent update process.

VPN & TCP support

The Webroot DNS Protection agent now supports Juno Pulse Secure v 3.5 and Private Internet Access (client version 7.5) VPN types. This new feature enables roaming clients to access intranet assets and ensure clients benefit from DNS Protection while using a VPN.

Additionally, we added TCP Traffic support filtering. While the majority of DNS traffic is handled via UDP, certain domains and applications only use TCP. This update allows the agent to filter both UDP and TCP traffic.

Policy Configuration

We have also enhanced policy configuration with more granular policy control.  Custom policy configurations can now be applied to groups, sites, individual devices or network IP.  We’re also working to improve internet usage visibility, and are excited to make our Top Active Report available for .csv export so it can be easily integrated into other reporting tools in use.

Finally, we’re updating the GSM console to give users the availability to initiate trials and/or purchase products directly within the console.

The post DNS Protection Gets Major Updates appeared first on Webroot Blog.