NSA Offers Advice on DNS Resolvers

DNS, that service that converts www.Foxnews.com (or whatever) to 23.39.41.42 is one of the last bits of the Internet that is not encrypted. Or at least it was.

Google and others have developed two different solutions to encrypt DNS – DNS over TLS and DNS over HTTPS. These are variations of each other and I think that DNS over HTTPS or DoH will probably win out. But why is this a security problem and why is the NSA weighing in on this?

First a side thought.

When you enable DoH, assuming your DoH provider is NOT your ISP, your ISP can no longer see your web surfing habits and as a result, it is harder for them to sell your browsing habits. Many ISPs claim that they don’t sell your browsing data and that may be technically true, but what they do sell is ads that are based on your browsing, so, really, same thing. The ISP universe created a huge snowstorm when DoH came out saying how bad it was because they could no longer sell your data, but now that at least some ISPs are offering DoH services, they have gotten over the problem.

In a corporate world, companies often use web filters to block content that they do not want their users to see. It can be anything from objectionable content like porn to time wasting content like sports to data stealing sites like Dropbox. If they can’t see your DNS requests, it makes it harder for companies to filter this content. In addition, DNS controls connections to internal web sites and if a user uses an unapproved DNS provider, that data is exposed on the Internet, which may not be what the company wants from a security standpoint.

So what does the NSA say? They say that you should block third party DNS services so that you as a company can decide which DNS queries are visible externally and which ones are controlled internally.

NSA has no problem with DoH, they just say that you should control how it is used on your network.

Here is a link to the NSA’s advice, which we concur with.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code