Securing business data

Blog Item

The Security Train - Secure DNS Anyone?


There have been some interesting announcements in the security world recently, one of which that caught my eye was the news that the much anticipated feature within FireFox for delivering DNS over HTTPS or...."DoH" for short...nice was finally heading our way.

Its long been an issue with DNS queries being sent in clear view, and these days privacy means a lot to a lot of people. While the contents of what gets sent and received to a secured website may well be encrypted end to end, the actual DNS request is not; if you browse to the contents of your browsing (a login for example) will remain a mystery to anyone intercepting the traffic as its encrypted, however the fact you browsed to can be extracted by anyone watching the network traffic.

It is possible therefore, from a forensics standpoint, to piece together a browsing history from various records scattered across various systems; from local disks, local network traffic, routers, proxies all the way up to your ISP.

There is a secondary problem too - by being able to read DNS requests a malicious actor could use this knowledge in various man-in-the-middle redirection attacks by sending a malicious DNS response to an unsuspecting user, redirecting them to a malicious site..usually for phishing purposes.

An earlier attempt at securing DNS from such attacks (cache poisoning was a primary focus) was something called DNSSEC, which never really took off, but had all the good intentions of ensuring DNS communications were what they said they were. Records within a DNSSEC protected zone would have an associated digital signature, by checking this signature a DNS resolver can then check how legit the request is...this approach was not problem free for a number of reasons: Deployment of DNSSEC across a large enough number of DNS servers was seen as problematic, disagreements among those implementing the standard on who should even own the top-level domain root keys also caused issues, not to mention it was seen as being a bit tricky to integrate/implement...

DNS-Over-HTTPS aims to add the aforementioned missing level of privacy for users within FireFox by default by sending DNS requests over an encrypted HTTPS channel rather than in clear text. Ohhhh....but the poor old DNS servers won't know what to do with the encrypted data I hear you scream....well...there lies the problem...but first a little story:

DoH is planned to be the default for FireFox...unless you live in the which case you will have to enable it manually. Why? you might ask...well...the UK government had a little chat with FireFox to seek assurances that it would not be enabled for UK citizens. I am using every bone in my body to remain neutral here...and whatever side of the privacy fence you fall on this feels a little strange, it is a bit of shame isn't it? You have a company interested in improving security being hampered from implementing such things as a default secure stance because it would make it to harder to for anyone (malicious or not) to snoop on traffic? Its a shame we live in world where such measures are even entertained.

The question was asked to the government in September "To ask the Secretary of State for Digital, Culture, Media and Sport, what discussions her Department has had with (a) Google, (b) Mozilla and (c) Cloudflare on the new DNS over HTTPS protocol and ensuring the online safety and security of UK citizens." Unfortunately looks like we might never know given the answer of "It has not proved possible to respond to the hon. Member in the time available before Prorogation".

For now it seems the feature exists and instructions on how to enable it can be found here...your welcome: 

Going back to the start of the little story....the problem is this - DoH can overwrite the operating systems configured DNS settings apparently...which does pose another interesting question...the tech firms who run the DNS-over-HTTPS resolvers may well then end up with an even tighter grip on what we are browsing and all the analytical goodness that goes with that...scary place that there Internet...also not tested but..I wonder how this affects organisations using proxies to block certain content? hmmm.

Speak soon everyone.

If you would like to know more about how you may be vulnerable to attack, why not enquire about our free Penetration Testing Training sessions CLICK HERE.


 Andy Swift - Head of Offensive Security   Andy Swift is, Head of Offensive Security at CNS Six Degrees
and has written countless articles on information security.
He has a particular speciality in Malware and Virus Analysis. 
Andy holds Global Industrial Cyber Security Professional (GICSP) status,
certifying his expertise in ICS Security Essentials for Engineering,
Operating Technology and Cyber.

Andy Swift - Head of Offensive Security            

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere