DNS Queries over HTTPS (DoH)

[katycomputersystems 1]

What impact will DNS Queries over HTTPS (DoH) have on End Point Security?

Currently, you protect our endpoints from malicious sites, when DoH becomes the norm, browsers will bypass the OS. essentially providing DNS lookups on their own.

[Marcos 5,074]

If it becomes a popular standard, we should support it. I'd say it's too early now to speculate about it and we'd tell more in due course.

[itman 1,659]

I am using DoH  option in FireFox Quantum ver. 68 via default use of Clouldflare DNS servers. No issues to date using EIS ver. 12.1.34 running on Win 10 x(64) 1809.

As best as I can determine via testing and Eset alerts, Eset's SSL/TLS filtering protection is fully functional with Firefox DoH use. In reality, Eset doesn't monitor UDP port 53 DNS activity other than what is provided by default firewall rules. Therefore, DoH using HTTPS is more secure.

-EDIT- To further clarify, Windows DNS service only performs DNS resolution to existing cached DNS resolved entries. Actual initial DNS resolution is performed from the router via ISP lookup or alternatively, via third party DNS servers specified in network adapter IPv4/IPv6 settings. The Windows DNS cache is then updated from this resolution.

Note that Windows DNS cache poisoning attacks have been an ongoing issue: https://www.howtogeek.com/161808/htg-explains-what-is-dns-cache-poisoning/ . Note that Eset's IDS protection should be able to detect a DNS poisoning attack.

-EDIT- In regards to DoH specifically, it is no longer "bullet proof." The first malware against it was just recently discovered; https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-https-protocol/ . Luckily, Eset also detects this one.

Edited July 12, 2019 by itman

[itman 1,659]

The current pressing issue is regards to DNS is DNS hijacking of which DoH is only marginally effective against: https://www.bleepingcomputer.com/news/security/ncsc-issues-alert-about-active-dns-hijacking-attacks/ . Immediate due diligence needs to be performed to ensure routers/gateways are properly secured.