Oblivious DNS-over-HTTPS

Oblivious DNS-over-HTTPS

This new protocol, called Oblivious DNS-over-HTTPS (ODoH), hides the websites you visit from your ISP.

Here’s how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can’t see what’s inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.

IETF memo.

The paper:

Abstract: The Domain Name System (DNS) is the foundation of a human-usable Internet, responding to client queries for host-names with corresponding IP addresses and records. Traditional DNS is also unencrypted, and leaks user information to network operators. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) havebeen gaining traction, ostensibly protecting traffic and hiding content from on-lookers. However, one of the criticisms ofDoT and DoH is brought to bear by the small number of large-scale deployments (e.g., Comcast, Google, Cloudflare): DNS resolvers can associate query contents with client identities in the form of IP addresses. Oblivious DNS over HTTPS (ODoH) safeguards against this problem. In this paper we ask what it would take to make ODoH practical? We describe ODoH, a practical DNS protocol aimed at resolving this issue by both protecting the client’s content and identity. We implement and deploy the protocol, and perform measurements to show that ODoH has comparable performance to protocols like DoH and DoT which are gaining widespread adoption,while improving client privacy, making ODoH a practical privacy enhancing replacement for the usage of DNS.

Slashdot thread.

Sidebar photo of Bruce Schneier by Joe MacInnis.

How prevalent is DNS spoofing? Could a repeat of the Dyn/Mirai DDoS attack have the same results?

Two separate groups of academics have recently released research papers based on research into the Domain Name System (DNS). One has found that the overwhelming majority of popular site operators haven’t learned from the 2016 Dyn/Mirai incident/attack and set up a backup DNS server, and the other has shown that the rate of DNS spoofing, though still very small, has more than doubled in less than seven years.

DNS dependency

Carnegie Mellon University PhD student Aqsa Kashaf and her advisors Dr. Vyas Sekar and Dr. Yuvraj Agarwal have analyzed third party service dependencies in modern web services, with a special focus on DNS, CDN (Content Delivery Network), and SSL certificate revocation checking by CA (Certificate Authority).

Their research was meant to determine if incidents like the 2016 Dyn DDoS attack, the 2016 GlobalSign certificate revocation error and the 2019 Amazon Route 53 DDoS attack would lead to similar results (i.e., a great number of inaccessible sites) in 2020.

They compared the situation with the 100,000 most popular websites in 2020 with that from 2016, and found that 89.2% of the analyzed websites use a third-party DNS provider (instead of managing their own DNS server) and that 84.8% of the websites don’t have a provisioned backup DNS server (which would be used in case their primary DNS provider is temporarily incapacitated).

DNS spoofing

“6% of the top-100K websites that were critically dependent in 2016, have moved to a private DNS in 2020. On the other hand, 10.7% of the websites which used a private DNS in 2016, have moved to a single third party DNS provider. Between these snapshots, redundancy has remained roughly similar. Overall, critical dependency has increased by 4.7% in 2020. More popular websites, however, have decreased their critical dependency,” they noted.

They also found that the DNS ecosystem is heavily concentrated. One DNS provider (CloudFlare) critically serves 23% of the top 100K most popular websites, and three of the top 3 DNS providers (CloudFlare, AWS, GoDaddy) critically serve 38% of the top 100K websites.

One interesting finding is that the overwhelming majority of CloudFlare consumers haven’t provisioned backup DNS servers.

“The near-complete lack of redundancy in CloudFlare’s consumers is because it requires that DNS traffic is routed through the CloudFlare network to protect against DDoS and other attacks. This approach does not allow domains to register a secondary DNS provider,” they explained.

They also found a higher degree of redundancy in the consumers of Dyn, NS1, UltraDNS, and DNSMadeEasy, which may be explained by the fact that these providers encourage the use of secondary DNS provider by giving specific guidelines, and the fact that Dyn and NS1 have previously been victims of large-scale attacks.

Another interesting revelation is the inter-service dependencies (CA to DNS or CDN to DNS).

“72% of the websites are critically dependent on 3 DNS providers when we consider direct CA to DNS dependency as compared to 40% when we just account for website to DNS dependency,” the researchers pointed out. Major CDN providers, on the other hand, use private DNS.

Finally, the researchers have also analyzed third-party DNS dependencies in the top 200 US hospitals and 23 smart home companies, and found that critical dependency is also prevalent in those segments.

DNS spoofing

PhD Candidate Lan Wei and her advisor Dr. John Heidemann at University of Southern California / Information Sciences Institute have studied more than six years of public data about root DNS servers, and found that DNS spoofing occurs globally.

“DNS spoofing is when a third-party responds to a DNS query, allowing them to see and modify the reply. DNS spoofing can be accomplished by proxying, intercepting and mod- ifying traffic (proxying); DNS injection, where responses are returned more quickly than the official servers; or by modifying configurations in end hosts,” they explained.

Depending on the third party that performs it, it can be performed for benign or malicious reasons and can, therefore, be a threat to user’s privacy and security.

“Incorrect DNS responses from third parties have been used for ISPs to inject advertising; by governments to control Internet traffic and enforce government policies about speech or intellectual property; to launch person-in-the-middle attacks by malware; and by apparent nation-state-level actors to hijack content or for espionage.”

Through their research they discovered that DNS spoofing is still rare (occurring only in about 1.7% of observations) but has been increasing during the observed period, and that proxying is the most common DNS spoofing mechanism.

Another interesting finding: there are “overt spoofers” and “covert delayers” – the latter don’t alter the DNS replies, just delay their delivery. As the delays are considerable, it is likely that they are processing the DNS traffic differently, but the reason for this is unknown.

Finally, the researchers noted that DNSSEC can protect against some aspects of DNS spoofing, but it’s still not widely used “because of challenges integrating DNSSEC with DNS-based CDN redirection.”

In early 2019, the Corporation for Assigned Names and Numbers (ICANN) urged domain owners and DNS services to implement DNSSEC as soon as possible.

Safe domain: How to protect your enterprise from DNS hijacking

In August 2019, cybersecurity researchers revealed that a hacker group known as Sea Turtle targeted 40 telecoms, internet service providers, domain registrars and government organizations in the Middle East and North Africa. The attackers hijacked the domain names of ministries of foreign affairs, intelligence/military agencies and energy-related groups in those regions. As a result, Sea Turtle was able to intercept all internet data – including email and web traffic – sent to the victims. Then, … More

The post Safe domain: How to protect your enterprise from DNS hijacking appeared first on Help Net Security.

The effectiveness of using DNS as a foundational element in future network security best practices

As cyberattacks escalate, Infoblox and Forrester Consulting investigated how security and risk (S&R) teams are using their DNS investments. The 203 respondents to the study reveal they most often use DNS to detect and block threats early in the kill chain, identify compromised devices, and investigate and respond to malware.

DNS investments

DNS is effective but under-utilized

The top findings underscore DNS is an effective but under-utilized tool for threat hunting and resolution even as alert fatigue challenges security teams to scale:

  • 94% of S&R leaders either use or consider DNS as a starting point for threat investigations but only 43% of security and risk leaders rely on DNS as a data source to complete their investigations.
  • 66% of respondents use DNS to catch threats — from DNS tunneling/data exfiltration, domain generation algorithms (DGAs), and lookalike domain attacks — that other security tools miss but only 34% anticipate using internal DNS to stop malicious attacks at scale.
  • 52% of leaders cite alert fatigue among teams and 51% report challenges dealing with threat triage; but only 58% of teams incorporate some automated processes for incident response.

DNS investments can help save the day

“It’s good to see the vast majority of security and risk teams recognize DNS as a powerful threat hunting tool,” said Anthony James, Vice President of Product Marketing at Infoblox.

“At the same time, most companies are leaving money on the table by under-using their DNS investments. With 56% of leaders looking to improve security ROI, DNS can help save the day by providing a single pane of visibility into threats across the network and the edges.”

DNS investments

“DNS can also help automate some of the more repetitive tasks in threat hunting, freeing up security teams who spend an average of 4 hours per incident investigation to address more complex problems,” continued James.

“DNS is one of the most effective ways that companies can fortify their security and risk frameworks and maximize their existing security investments.”

Is DNS a vital component of your security strategy?

Security and risk (S&R) teams often use DNS to detect and block threats early in the kill chain, identify compromised devices, and investigate and respond to malware, an Infoblox survey reveals.

security teams use DNS

The top findings underscore DNS is an effective but underutilized tool for threat hunting and resolution even as alert fatigue challenges security teams to scale:

  • 94% of S&R leaders either use or consider DNS as a starting point for threat investigations but only 43% of security and risk leaders rely on DNS as a data source to complete their investigations.
  • 66% of respondents use DNS to catch threats — from DNS tunneling/data exfiltration, domain generation algorithms (DGAs),and lookalike domain attacks — that other security tools miss but only 34% anticipate using internal DNS to stop malicious attacks at scale.
  • 52% of leaders cite alert fatigue among teams and 51% report challenges dealing with threat triage; but only 58% of teams incorporate some automated processes for incident response.

DNS can fortify security

“It’s good to see the vast majority of security and risk teams recognize DNS as a powerful threat hunting tool,” said Anthony James, Vice President of Product Marketing at Infoblox.

“At the same time, most companies are leaving money on the table by underusing their DNS investments. With 56% of leaders looking to improve security ROI, DNS can help save the day by providing a single pane of visibility into threats across the network and the edges.”

“DNS can also help automate some of the more repetitive tasks in threat hunting, freeing up security teams who spend an average of 4 hours per incident investigation to address more complex problems,” continued James.

“DNS is one of the most cost-effective ways that companies can fortify their security and risk frameworks and maximize their existing security investments.”

How the pandemic affected DDoS attack patterns, global internet traffic

There has been a shift in internet traffic patterns coinciding with an increase in DDoS and other types of network attacks in recent months as organizations across industries quickly transitioned to remote workforces and individuals under stay-at-home orders began relying on the internet more heavily, according to Neustar.

internet traffic patterns ddos

Growing reliance on the internet

The pandemic effect was clear in traffic to specific websites, such as the 250% increase in queries for a popular collaboration platform as lockdowns commenced and the sharp rise in traffic to the website of a N95 masks manufacturer.

A noticeable rise in traffic was noticed in mid-March correlating with the dates that schools and organizations began to implement isolation policies, and query numbers continued to rise afterward, with a sharp uptick about a month after isolation policies had begun to take hold.

There was a 14% increase in DNS query volumes between March 1 and May 3, as the full impact of the pandemic set in around the world.

Of course, not all industries have been affected equally. As might be expected, queries to retail companies and streaming services saw a large increase during the one-month period coinciding with the beginning of stay-at-home orders, while the travel industry saw decline initially but appears to be recovering.

Traffic patterns and increasing attacks

Concurrent with these changes in traffic patterns, there was dramatic rise in DDoS and other attacks across virtually every metric measured, including increases in the overall number of attacks; attack severity, which considers the volume of attack (measured in tera- or gigabits per second, which congests bandwidth); and attack intensity (measured in millions of packets per second, which targets infrastructure).

“It’s no surprise that in this massive and unplanned shift of the global workforce now suddenly being reliant on home internet and corporate VPN connectivity, bad actors and cyber criminals would seek to take advantage of emerging network vulnerabilities,” said Brian McCann, President of Security Solutions at Neustar.

“Whereas it could take years for a business to build and execute on a plan to support a remote workforce, every organization suddenly had to implement one immediately.”

internet traffic patterns ddos

The DNS hijacking threat

While many DDoS and other types of attacks focus on corporate assets, there has also been an increase in DNS hijacking, a technique in which DNS settings are changed to redirect the user to a website that might look legitimate but often contains malware disguised as something useful.

“Combined with the growing number of threats against the internet’s DNS infrastructure, the unexpected need to support a fully distributed workforce often exposes new vulnerabilities that are difficult for organizations to guard against, underscoring the importance of having effective cybersecurity measures like always-on DDoS protection services in place to ensure operational continuity,” added McCann.

83% of Global 2000 enterprises have not adopted basic domain security practices

There are significant shortfalls in enterprise domain security practices, putting organizations’ internet-facing digital assets at risk to threats, including domain name and DNS hijacking, phishing, and other fraudulent activity, a CSC report reveals.

domain security practices

Security shortfalls

According to the report, 83% of Global 2000 organizations have not adopted basic domain security measures such as registry lock, which puts them at risk for domain name hijacking.

The report indicates a wide industry disparity in domain security maturity with information technology and media and entertainment industries more likely to embrace available security controls, while industries such as materials and real estate trail behind.

“These security shortfalls are the direct result of not executing proper domain security techniques. Domain security cannot be an afterthought, and there needs to be a conscious effort to make this an intentional and critical part of every company’s overall cyber security posture, especially as criminals evolve their attack methods,” says Mark Calandra, executive vice president for CSC DBS.

“As companies move to more online business models, it’s essential to use defense-in-depth practices to proactively manage, secure, and defend the foundational internet-facing components of your digital brand presence.”

enterprise domain security practices

Additional highlights

  • Four out of five Global 2000 companies are severely at risk and exposed to domain name and DNS hijacking due to a lack of registry locks. Unlocked domains are vulnerable to social engineering tactics, which can lead to unauthorized DNS changes and domain name hijacking.
  • 53% of the Forbes Global 2000 use retail-grade domain registrars, putting them at greater risk for phishing, social engineering, and attacks while complicating compliance demands. The management of the overall domain name portfolio by a reputable corporate registrar versus a retail registrar will make the adoption of domain security standards much easier to implement and monitor.
  • Only 20% of Global 2000 companies use enterprise-grade DNS hosting. Lack of DNS hosting redundancy and using non-enterprise-level DNS providers poses potential security threats like resiliency to DDoS attacks, as well as down time, and revenue loss.
  • 97% of the Global 2000 don’t use DNS security extensions (DNSSEC), which means the majority of companies are prone to cache poisoning attacks. Lack of deployment of DNSSEC leads to vulnerabilities in the DNS, which could include an attacker hijacking any step of the DNS lookup process.
  • Domain-based message authentication, reporting, and conformance (DMARC) use is only at 39% for the Global 2000 companies. DMARC is an email validation system designed to protect a company’s email domain from being used for email spoofing, phishing scams, and other cyber crime.

Average cost of DNS attacks hovering around $924,000

79% of organizations experienced DNS attacks, with the average cost of each attack hovering around $924,000, according to EfficientIP.

average cost of DNS attacks

The 2020 Global DNS Threat Report, conducted in collaboration with IDC, shows that organizations across all industries suffered an average 9.5 attacks this year. These figures illustrate the pivotal role of the DNS for network security, as threat actors make use of DNS’ dual capacity as either a threat vector or a direct objective.

In terms of regional damage from DNS attacks, North America leads the way with the average cost of attack at $1,073,000. This is a modest decrease by about 1.36% from the year prior. And while the United States saw nearly a 4% decrease in attack damages, it still has the highest cost globally at $1,082,710.

Attackers appear to increasingly target the cloud. As the number of business-critical applications hosted in hybrid-cloud environments has increased, so has the attack surface for cybercriminals. The report shows that companies that suffered cloud service downtime increased from 41% in 2019 to 50% in 2020, a sharp growth of nearly 22%. The increased adoption of cloud services during the global COVID-19 pandemic could make the cloud even more attractive for attackers.

In-house app downtime remained extremely high: 62% this year compared to 63% last year. As a whole, application downtime—whether in-house or in the cloud—remains the most significant result of DNS attacks; of the companies surveyed, 82% said that they had experienced application downtime of some kind.

The report, now in its sixth year, shows the broad range and changing popularity of attack types ranging from volumetric to low signal. This year phishing led in popularity (39% of companies experienced phishing attempts), malware-based attacks (34%), and traditional DDoS (27%). Crucially, the size of DDoS attacks is also increasing, with almost two-thirds (64%) being over 5Gbit/s.

Despite these worrying numbers, enterprise awareness of how to combat these attacks is improving: 77% of respondents in the 2020 Threat Report deemed DNS security a critical component of their network architecture, compared to 64% in the previous year. Additionally, use of Zero Trust strategies is maturing: 31% of companies are now running or piloting Zero Trust, up from 17% last year. Use of predictive analytics has increased from 45% to 55%.

“Recognition of DNS security criticality has increased to 77% as most organizations are now impacted by a DNS attack or vulnerability of some sort on a regular basis,” says Romain Fouchereau, Research Manager European Security at IDC. “The consequences of such attacks can be very damaging financially, but also have a direct impact on the ability to conduct business. Ensuring DNS service availability and integrity must become a priority for any organization.”

DNS offers valuable information against would-be hackers that is currently going underutilized. According to results from the 2020 Threat Report, currently 25% of companies perform no analytics on their DNS traffic (compared to 30% last year). 35% of organizations do not make use of internal DNS traffic for filtering, and only 12% collect DNS logs and correlate through machine learning.

“In this era of key IT initiatives like IoT, Edge, SD-WAN and 5G, DNS should play a much larger role in the security ecosystem,” says Ronan David, VP of Strategy for EfficientIP. “It offers valuable information that can make security strategies against hackers much more proactive and preventative. The pandemic has exacerbated the need to shore up DNS defenses, when any network or app downtime has major business implications.”

There are several ways that companies can make better use of DNS with threat intelligence and User Behavioral Analytics, to enhance attack protection capacity. A DNS security solution can feed SIEMs and SOCs with actionable data & events, thus simplifying and accelerating detection and remediation. Of companies surveyed, 29% used SIEM software to detect compromised devices, and 33% of companies passed DNS information to SIEM for analysis (up from 22% in 2019).

In an increasingly 5G and edge world, DNS matters

Infoblox identified the challenges Communication Service Providers (CSPs) face in transitioning to distributed cloud models, as well as the use cases for multi-access edge computing (MEC), 5G New Radio (NR), and 5G Next Generation Core (NGC) networks.

distributed dns

“Distributed cloud models such as 5G and multi-access edge computing networks have the potential to drastically change the CSP industry, delivering high-bandwidth, low latency services to network customers,” said Dilip Pillaipakam, Vice President and GM of Service Provider Business at Infoblox.

“Yet to fully take advantage of the benefits of these new technologies, DNS will have to evolve to address the challenges that come from delivering these high-value services at the network edge.”

DNS will need to be increasingly automated

DNS is a critical element to these new network architectures and technologies, enabling devices to access the network securely and reliably. And as 5G NR, NGC, and MEC technologies enable faster, more distributed networks with significantly more connected devices, DNS will need to be increasingly automated and operate at greater scale and with greater flexibility.

Yet, despite the importance of DNS to the reliable functioning of these networks, the survey found that few CSPs believe that their DNS is currently capable of supporting MEC or 5G NEC.

To meet this need, networks will need to leverage the benefits of distributed DNS technology that can enable network managers to meet users where they are—at the network edge.

Other key findings

  • CSPs consider DNS to be critical to the adoption of next-generation network technologies like 5G (71%), cloud-based managed security services (66%) and MEC (63%).
  • More than one third of CSPs surveyed plan to implement MEC (36%), 5G (35%), and NEC (35%) in the next 12-18 months.
  • Despite this, the lack of a mature vendor solution ranks as the largest obstacle these providers face in MEC (36%), 5G NR (46%) and 5G NEC (39%) deployments.

The CSPs surveyed included companies that represent all aspects of the industry; the largest groups were converged operators (46% of respondents), mobile operators (26%), and fixed-line and cable operators (10% each). The survey asked about their plans for implementing MEC, 5G NGC, and 5G NR technologies, business use cases, as well as concerns and obstacles to implementation.

distributed dns

The survey’s findings indicate that the future of DNS will hinge on the delivery of a fully distributed and fully capable edge-based DNS.

“CSPs seeking to advantage of the benefits of cloud-based and distributed technologies like MEC, 5G NR, and 5G NGC, will need DNS services that can keep up with the challenge of edge-centric network models,” continued Pillaipakam.

“DNS providers will need to adapt and evolve to ensure that customers in this industry are provided with the features, flexibility, and security that these new architectures demand.”

Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check

Google has released version 83 of it’s popular Chrome web browser, which includes new security and privacy features and fixes for security issues.

Chrome 83: New and improved security and privacy features

The enhanced Safe Browsing mode will allow users to get a more personalized protection against malicious sites.

Chrome 83 security features

“Phishing sites rotate domains very quickly to avoid being blocked, and malware campaigns are directly targeting at-risk users,” Google explained.

“Turning on Enhanced Safe Browsing will substantially increase protection from dangerous websites and downloads. By sharing real-time data with Google Safe Browsing, Chrome can proactively protect you against dangerous sites. If you’re signed in, Chrome and other Google apps you use (Gmail, Drive, etc.) will be able to provide improved protection based on a holistic view of threats you encounter on the web and attacks against your Google Account.”

A new Safety Check option allows users to scan their Chrome installation and show whether the browser is up to date, whether the Safe Browsing service is on, whether potentially harmful extensions have been installed, and whether any of the passwords the user uses has been compromised in a known breach.

New cookie controls and settings – from now on, users will be able to delete cookies on a per-site basis and block third-party cookies while using Chrome’s Incognito mode (aka “private browsing” mode).

Secure DNS – build on top of the DNS-over-HTTPS (DoH) protocol.

“When you access a website, your browser first needs to determine which server is hosting it, using a step known as a ‘DNS (Domain Name System) lookup.’ Chrome’s Secure DNS feature uses DNS-over-HTTPS to encrypt this step, thereby helping prevent attackers from observing what sites you visit or sending you to phishing websites,” Google noted.

“By default, Chrome will automatically upgrade you to DNS-over-HTTPS if your current service provider supports it. You can also configure a different secure DNS provider in the Advanced security section, or disable the feature altogether.”


Some features have already been rolled out, others will be made available to desktop Chrome users in upcoming weeks.

CCPA privacy requests cost business up to $275k per million consumer records

Organizations who plan on manually processing CCPA data subject requests (DSRs) or data subject access requests will spend between $140k – $275k per million consumer records they have in their systems, according to DataGrail.

CCPA privacy requests

The CCPA went into effect on January 1, 2020, giving consumers the right to know the data collected about them, to delete data about them, and ensure their data is not sold to third-parties. The report analyzed the number of requests in Q1 2020 to understand how CCPA will impact organizations in the long-run.

The early learnings from the first few months of CCPA should help businesses plan and predict the future of privacy regulation.


  • Privacy headlines (and COVID-related emails) in March & April likely drove an increase of CCPA privacy requests.
  • B2C companies should prepare to process approximately 100 to 194 requests per million consumer records each year.
  • Processing CCPA privacy requests will likely cost B2C companies $140,000 to $275,000 per one million consumer records, if done manually.
  • January 2020 saw a surge of privacy requests, most likely due to the law going into effect and privacy policy updates.
  • Deletion requests were the most popular requests (40%) in Q1 2020, followed by DNS (33%), and access requests (27%).
  • Do Not Sell (DNS) requests will likely become the most dominant privacy request after analyzing early trending data.

CCPA privacy requests

CCPA privacy requests expected to stabilize

Looking forward to the remainder of 2020, the number of CCPA privacy requests is expected to stabilize around the February and March numbers (8 requests per million consumer records).

However, as privacy related issues make headlines or a company updates their privacy policy, organizations should expect a surge of requests. For example, in April, the number of requests has been trending higher, most likely due to the number of COVID-related emails sent, and headlines about the privacy of remote work and conferencing apps.

In July and August we may see a surge once again as CCPA enforcement begins on July 1, 2020.

DNS requests expected to dominate

DNS requests will likely dominate, with deletion requests not far behind, which means companies should prepare for the complex task of reaching out to their network of processors and sub processors to successfully perform a hard delete. New regulations cause a lot of uncertainty and anxiety – especially when they involve a lot of complexity and associated fines.

Infoblox announces enterprise best practices for DoT/DoH

Infoblox, the leader in Secure Cloud-Managed Network Services, announced Enterprise best practices on DNS over TLS (also known as DoT) and DNS over HTTPS (DoH).

best practices DoT DoH

These DoT/DoH guidelines are based on Infoblox’s longtime commitment to providing customers with DDI services that enable them to easily and effectively secure their own DNS communications.

The DNS traffic problem

“DNS was not originally designed with security in mind and for this reason has traditionally suffered from what is known as the ‘last mile’ problem,” said Cricket Liu, Chief DNS Architect at Infoblox. “Communications between a DNS client and server are not usually encrypted, leaving users vulnerable to spoofing, interception and other types of attack.”

DoT and DoH were developed to help network users overcome this last mile problem and provide security for DNS traffic. Both standards allow users to secure DNS traffic by routing it through ports which can carry encrypted packets. However, in doing so, they both can be used to bypass internal DNS controls and direct DNS traffic to external resolvers. This is especially true for DoH, since it uses HTTPS.

“The last mile challenge has been an issue with DNS for a long time,” added Liu. “Developments like DoT and DoH are valuable efforts to address this problem, but when they are used to bypass a company’s internal DNS infrastructure or evade their security controls, a host of new challenges emerge for IT managers.”

DoT and DoH risks

These protocols can be used to access DNS services outside of corporate control, and can expose the entire organization to security risks, slow browser performance and adversely affect the user’s experience. In some cases, browser and application vendors even choose to opt users into these services without corporate consent. More than 90% of malware incidents and more than half of all ransomware and data theft attacks use DNS infrastructure. When internal DNS is bypassed, these threats go undetected.

DoH in particular can be problematic since it uses the same TCP port (443) as all HTTPS traffic, making it indistinguishable from regular HTTPS requests (for example, when surfing the web). As a result, it can be difficult to troubleshoot DoH-related DNS issues or maintain levels of network performance, security, scale and reliability that organizations need from DNS. It also introduces a covert channel for malware.

For example, recent versions of PsiXBot malware use DoH to encrypt malicious communications allowing it to hide in normal HTTPS traffic, and install malware that can steal data or add a victim to a botnet.

“While these new DNS privacy initiatives are necessary and valuable, network administrators and security teams must be aware of the risks that the DoT and DoH approaches raise,” said Liu.

To combat this, Infoblox recommends that companies block DoH traffic between internal IP addresses and external DNS servers, forcing employees to use their company’s IT-managed DNS infrastructure and ensuring that security policies are enforced.

BloxOne Threat Defense, a hybrid foundational security solution from Infoblox that uses DNS as the first line of defense, blocks resolution to DoH domains and facilitates a graceful fallback to existing internal DNS. This helps prevent DoH misuse and mitigates risk.

BloxOne Threat Defense includes the following features to help manage DoH:

  • Policy threat intelligence feeds for DoH, which provide the ability to control the DNS access method used to detect and mitigate threats by disabling DoH-based security policies. A threat intelligence feed containing canary domains is available to achieve this. Browsers will gracefully fallback to the organization’s managed DNS without interrupting user activity.
  • DoH-Policy feed for known DoH IPs and DoH domains added to Threat Intelligence Data Exchange, Infoblox’s threat intelligence aggregation and distribution platform, which can then be used by other security tools like NGFWs to block DoH traffic to external servers.
  • Ability to review DoH-related domains and IPs within Dossier, Infoblox’s threat investigation tool.

These capabilities are available for all BloxOne Threat Defense subscription levels.

Support for DoT and DoH will also be added to an upcoming NIOS release. This capability will enable customers to encrypt last-mile DNS communications between their endpoints and DNS servers regardless of which protocol the endpoint supports.

Infoblox is committed to helping customers maintain the network performance, security, scale, and reliability that modern enterprise networks demand. While solving the “last mile” problem is important and worthwhile, the company also recognizes that it is important for IT managers to maintain visibility and control over their DNS traffic. Infoblox will continue developing solutions to help IT managers and network administrators address these challenges in the future.

The frequency of DDoS attacks depends on the day and time

Multivector and cloud computing attacks have been rising over the last twelve months, according to Link11. The share of multivector attacks – which target and misuse several protocols – grew significantly from 46% in the first quarter to 65% in the fourth quarter.

frequency DDoS attacks

DNS amplification most popular for DDoS attackers

DNS amplification was the most used technique for DDoS attackers in 2019 having been found in one-third of all attacks. The attackers exploited insecure DNS servers, of which there were over 2.7m worldwide by the end of 2019, according to the Open Resolver Project.

Average attack bandwidth increases

The average bandwidth of attacks keeps increasing by more than 150% within four years, reaching 5 Gbps in 2019, up from 2 Gbps in 2016. The maximum attack volume has also nearly doubled compared to 2018; from 371 Gbps to 724 Gbps.

Attacks on corrupted cloud servers rising

The proportion of DDoS attacks that involved corrupted cloud servers was 45% between January and December; this is a 16% increase over the same time period the previous year. The proportion rose to 51% over the last six months of 2019.

The number of attacks traced to cloud providers was roughly proportionate to their relative market share, with more cases of corrupt clouds registered for AWS, Microsoft Azure and Google Cloud.

The longest DDoS attack lasted 6,459 minutes; more than 100 hours.

frequency DDoS attacks

DDoS attacks concentrated around weekends and evenings

The data showed that the frequency of DDoS attacks depends on the day of the week and time of the day, with most attacks concentrated around weekends and evenings. More attacks were registered on Saturdays, and between 4pm and midnight on weekdays.

There was also a number of new amplification vectors registered by the LSOC last year including WS–Discovery, Apple Remote Management Service and TCP amplification, with registered attacks for the latter doubling compared to the first six months of the year.

The LSOC also saw an increase in ‘carpet bombing’ attacks in the latter part of 2019, which involves a flood of individual attacks that simultaneously target an entire subnet or CIDR block with thousands of hosts.

This popular method spreads manipulated data traffic across multiple attacks and IPs. The data volume of each is so small that it stays under the radar and yet the combined bandwidth has the capacity of a large DDoS attack.

Marc Wilczek, COO of Link11 said: “There was a noticeable surge in attack bandwidths and volumes, and in multivector attacks in 2019, due in part to the increased malicious use of cloud resources and the popularity of IoT devices.

The future of DNS security: From extremes to a new equilibrium

In anticipation of his keynote at HITB Security Conference 2020 in Amsterdam, we talked to internet pioneer Dr. Paul Vixie, Farsight Security Chairman and CEO.

Dr. Vixie was inducted into the internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source internet software including BIND 8, and of many internet standards documents concerning DNS and DNSSEC.

future DNS security

You’ve worked in the DNS field for more than three decades, how have things changed since the late 1980s?

The internet is the biggest thing ever to happen to human society, but likewise commercialization and privatization was the biggest thing ever to happen to the internet. nothing about the internet’s technology or governance was ready for general exposure to humanity – it was built by academics for their own purposes.

Denial of Service attacks, spam and other fraudulent transactions, inappropriate monetization of public resources, and unnecessary centralization have all thrived along with the internet itself, because the people who designed and deployed the fundamental architecture and infrastructure of the internet did not know and could not have believed that nothing which can be abused won’t be. Well, now we know that, but it’s late.

We’re seeing a steady push to move access side DNS away from customer networks and towards companies like Cisco, Google, IBM, and Cloudflare. What are the risks and costs, and who pays them?

I’ve often said that if the internet was a territory, then the DNS is its map. That’s now broadly understood by the tech sector, and their response is to centralize DNS either for their own leverage or to prevent others from having such leverage.

Centralization is not and never was necessary or beneficial for DNS, and the costs of centralization will be more surveillance, more fragility, more complexity, and more security bypasses. I’ve left instructions in case I perish, so on my tombstone it will be written, “run your own recursive DNS”.

What’s your take on DNS over HTTP?

i think a lot of technologists were enraged by the Snowden disclosures of 2013, and they’re dedicated to creating a user-centric network without any possible controls or monitoring. they tell us, we can’t trust network operators, or our operating systems.

What I’ve told them in reply is, we can’t trust our apps which might be malware or infected, nor our users who might be intruders or malicious insiders, and “going dark” will limit good surveillance and controls (by private network operators, and endpoint security products) and empower new kinds of e-crime and e-abuse, in at least the same and probably greater magnitudes than whatever benefit we get by limiting nation-state surveillance efforts.

We needed a balance, but DNS over HTTP is a new extreme.

How do you envision DNS security evolving in the near future?

It’s all going to be encrypted, even the parts which are public information containing no personally identifiable information.

This will trigger a new arms race as to who gets to encrypt what against whom. Managed private network operators are going to have to figure out how to prevent DNS over HTTP from bypassing their enterprise and family security controls, and there will be hell to pay in the form of new complexities and collateral damage. It’s going to take years for a new equilibrium to evolve out of this mess.

DNSSEC still fueling DNS amplification attacks, TCP SYN flood attacks rise

DNS amplification attacks continue to increase in number, growing 4,788% over Q3 2018, according to Nexusguard.

DNS amplification attacks increase

DNSSEC (Domain Name System Security Extensions) remains the main driver of growth of DNS amplification attacks in the quarter, yet analysts have detected a sharp and concerning rise in TCP SYN flood attacks.

TCP SYN flood is not a new method, but findings indicate that techniques have grown in sophistication and have emerged as the third most used attack vector, behind DNS amplification and HTTP flood attacks.

SYN flood attacks can impact innocent users

Cyberattackers have long favored DDoS attacks that amplify damage beyond the resources required, but suitable reflectors or amplifiers are not as widely available for DNS amplification and memcached reflection attacks. In contrast, any server with an open TCP port is an ideal attack vector, and such reflectors are widely available and easy to access to cause SYN flood reflection attacks.

Consequently, SYN flood reflection not only hits targeted victims, but also can impact innocent users, including individuals, businesses, and other organizations. These innocent victims end up having to process large volumes of spoofed requests and what appear to be legitimate replies from the attack target. As a result, bystanders can incur hefty fees for bandwidth consumed by junk traffic, or even suffer from secondary outages.

“Our research findings revealed that even plain-vanilla network attacks could be turned into complex, stealthy attacks leveraging advanced techniques, from the bit-and-piece attacks, also known as carpet bombing, we identified last year, to the emergence of Distributed Reflective DoS (DRDoS) attacks in the third quarter.

“Telcos and enterprises must take note while these tactics don’t cause notable strain on network bandwidth, which may go undetected, but that they are powerful enough to impact their service. Advanced mitigation techniques are required to address these threats,” said Juniman Kasman, CTO at Nexusguard.

Largest sources of traffic

Report findings also showed that 44% of Q3 attack traffic came from botnet-hijacked Windows OS computers and servers. The second largest source of traffic came from iOS-equipped mobile devices. The total number of attacks has mirrored patterns observed in 2019, with Q1 seeing the highest number attacks and numbers dropping over Q2 and Q3.

While attack volume has decreased since Q2 2019, levels grew more than 85% compared to the same quarter last year. More than half of all global attacks originated in China, Turkey or the United States.

DNS over HTTPS’ threat to enterprise security

DNS over HTTPS (DoH) is here, regardless who likes it or not. Unfortunately, a majority of guidance surrounding DoH is centered around individual consumer perspectives. For enterprise security leaders looking to manage the risks of DoH, that hasn’t been entirely helpful.

To clarify the impacts of DoH on enterprise networks and how to manage them, I recently spoke with Chairman and CEO of Farsight Security, Paul Vixie. Below is a summary of the main points we covered.

In the year since the Internet Engineering Task Force (IETF) first published it as a standard, its impact on security and network operations has rightly been the subject of debate and discussion.

Despite this, a number of browser vendors have already rolled out support for DoH, including Chrome and Firefox. Their official goal? To add privacy to internet communications. Microsoft has also announced DoH support in its Windows operating system, though in a different way than the browsers.

Remember, DoH encrypts communication between the client and a DoH server. Because of this, it can prevent attackers from performing man-in-the-middle attacks and eavesdropping on traffic. It also makes DNS queries invisible to ISPs, which has been a major draw for individual consumers.

From the vantage point of enterprise security professionals and IT administrators, however, DoH creates significant challenges to network operations and security. Below are a few of the biggest ones.

DoH blinds DNS security tools

DNS is a highly valuable signal to cybersecurity operations. Enterprises leverage DNS for visibility and control over what happens on their networks. For example, passive DNS monitoring and threat detection offer security teams another chance to catch security threats that would otherwise evade their traditional tools. With DNS data, it’s possible to detect behavior like DNS tunneling, or communication between compromised hosts and command and control servers (C&Cs).

However, with DoH, DNS traffic can’t be distinguished from other HTTPS traffic. The data that used to be accessible for DNS-based monitoring and policy control now simply passes through port 443, encrypted.

Malware authors are already taking advantage of this new blindness – for example, the Godlua malware was observed using the DoH protocol earlier this year. Building on the danger of DNS blindness, malware can also now configure a compromised system to change its DoH resolver without detection. It can then communicate with a nefariously-controlled DoH server with little risk of its DNS queries being intercepted by security teams.

DoH cripples split DNS

Enterprises operating a split DNS implementation may find that applications set up for DoH will not resolve internal names. In some cases, this can corrupt access to services that depend on those names.

At the same time, an enterprise using split DNS will also be leaking internal domain names by sending them to a centralized public DoH server.

How to protect against DoH

Visibility into DNS traffic provides priceless insights into security and performance. Given that DoH can bypass many of the DNS-based security controls that protect enterprises today, security and network operations teams should treat it with caution.

Consider prohibiting applications on corporate devices from configuring DoH servers. Certain browsers have already rolled out DoH support, and while the functionality of resolving to DoH servers can be disabled, organizations may want to consider disallowing those browsers altogether. This is in case individual users try to reconfigure their browsers to point to DoH servers.

Similarly, outbound traffic to DoH resolvers can also be blocked, though that type of blacklist will have to be continuously maintained. Lists of DoH resolvers are publicly available on the web on GitHub and elsewhere.

Given the criticality of DNS, enterprise network operations and security teams need to move slowly and carefully when it comes to DoH.

How DNS filtering works and why businesses need it

The Domain Name System (DNS) is a cornerstone of the internet. DNS servers connect URL names that humans can read to unique Internet Protocol (IP) addresses that web browsers can understand. Without DNS, we’d all be typing in long, seemingly random combinations of characters and numbers in order to get anywhere online! However, this dependency opens up the possibility for misuse. From domain hijacking and cache poisoning to Denial of Service attacks, DNS is no stranger to being attacked or even scarier, being an attack vector!

how DNS filtering works

It’s not difficult to see why attackers would use DNS as an attack vector. Any application that uses the internet uses it, even though a majority of internet traffic is web content. This includes email, peer-to-peer sharing, RDP, SSH, etc. Fortunately, this crucial component of the internet can be used defensively as well. DNS filtering can prevent users from downloading malware without also blocking legitimate files by accident. Let’s explore how this process works and why it’s a useful tool for IT and security teams.

Methods for filtering malware

Malware is one of the major plagues of modern computing and many security providers spend ample time trying to prevent users from accessing malicious files on the internet. One of the easiest ways to keep users from downloading malware is to simply block access to servers hosting malicious files. There are companies whose entire purpose is to sell services that identify malicious actors. This is typically referred to as “Threat Intelligence.” Once you know which servers and sites are bad, the next step is to prevent users from connecting to them. There are multiple ways to do this, and they each have advantages and drawbacks.

It would be easy to simply block malicious sites based on IP address, but this usually isn’t practical. Unfortunately, modern server configurations allow a single IP address to host many different services. Also, many different domain names can map to the same IP address, which generally makes blocking bad sites by IP address too broad. In practice, this means IT ends up blocking legitimate websites and services along with the malicious ones, which frustrates users and makes it harder for them to accomplish their work.

On the other hand, filtering based on full URLs achieves greater fidelity against individual files served by web servers. This approach avoids the problem of blocking too many legitimate sites, but requires a lot of extra work from IT. Since URLs are application protocol-specific, this level of protection ends up requiring a unique filtering implementation per application protocol (HTTP vs FTP). Many businesses don’t have the resources to implement this successfully.

Not too broad, not too granular

DNS sits smack dab in the middle of the two methods described above. Filtering by DNS is more precise than IP address filtering, but not as work- intensive as URL filtering. For example, if malicious files are served up by only one domain name out of four that map to an individual IP address, blocking by domain name will not interrupt the other three domains (whereas blocking by IP address would interrupt all four domains). The level of precision that DNS filtering offers keeps organizations safe from malware without making IT departments seem “heavy-handed” and frustrating employees by unnecessarily blocking important sites and services.

DNS is also application protocol agnostic, so blocking by domain name will block connections to malicious links no matter which application initiates the connection. There are very few applications today that don’t connect to the Internet, and they all resolve human readable names into IP address. For example, regardless of whether you read your email using a thick client like Outlook or use a web UI like Gmail, clicking on a malicious link will result in the same resolution of the same name. The same goes for documents.

Clicking on a malicious link in Acrobat Reader or Microsoft Word results in the same resolution of the same name regardless of document type or application. That means DNS-level filtering will block malicious links in all of these scenarios without needing to be customized to the specific application or protocol in use. With workers accessing corporate data from multiple devices, checking email on their phones and using applications that IT might not even know about, the flexibility provided by DNS filtering is extremely useful.

DNS filtering considerations

In security, it’s important to remember that no single solution is foolproof and DNS filtering is no exception. Servers using custom application protocols on odd ports to perform malicious activity like botnet attacks usually require IP address blocking. Malicious activity on non-Web protocols like SMTP require full domain name blocking.

Lastly, malicious content hosted on a file sharing or content delivery network requires full URL blocking because most of the content on the CDN is legitimate. No one level of network blocking is foolproof either. As every seasoned security professional knows, the best security is layered security. Therefore, the best network blocking solutions will allow filtering at all three network levels: IP, Domain and URL.

One of the other advantages of DNS filtering is that many solutions available on the market integrate seamlessly into your current infrastructure. Instead of pointing your internal DNS server to your ISPs upstream DNS server, you point it to DNS servers from these solutions that provide protection.

Putting it all together

DNS is incredibly important to everything we do on the internet in our daily lives. The old method of blocking by IP address is inadequate, as many individual servers can serve up many different, mostly legitimate services. And even though we do just about everything in our web browser, blocking by URLs can be too narrow. The gap left over can be filled by blocking by domain names.

Remember, because of our heavy reliance on the internet, DNS-based filtering is essential for businesses today since it removes an avenue of attack that you couldn’t close down otherwise.

Three Areas to Consider, to Focus Your Cyber-Plan

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Why big ISPs aren’t happy about Google’s plans for encrypted DNS

Why big ISPs aren’t happy about Google’s plans for encrypted DNS

When you visit a new website, your computer probably submits a request to the domain name system (DNS) to translate the domain name (like arstechnica.com) to an IP address. Currently, most DNS queries are unencrypted, which raises privacy and security concerns. Google and Mozilla are trying to address these concerns by adding support in their browsers for sending DNS queries over the encrypted HTTPS protocol.

But major Internet service providers have cried foul. In a September 19 letter to Congress, Big Cable and other telecom industry groups warned that Google’s support for DNS over HTTPS (DoH) “could interfere on a mass scale with critical Internet functions, as well as raise data-competition issues.”

On Sunday, The Wall Street Journal reported that the House Judiciary Committee is taking these concerns seriously. In a September 13 letter, the Judiciary Committee asked Google for details about its DoH plans—including whether Google plans to use data collected via the new protocol for commercial purposes.

But Google says that these concerns are groundless. Despite insinuations from telecom companies, Google says, the company has no plans to switch Chrome users to its own DNS servers. And while Google didn’t mention it, the company has plenty of ways to monitor users’ browsing patterns with or without access to their DNS queries.

The telecom industry letter is confusing because it mashes together two different criticisms of Google’s DoH plans. One concern is that switching to encrypted DNS would prevent ISPs and others from spying on their users. The other is that, in the process of enabling DoH, Google will switch millions of users over to Google’s own DNS servers, leading to a dangerous concentration of control over DNS.

Understanding the debate is easier if we consider each of these concerns separately.

Google says it isn’t planning to switch users to its DNS

Let’s start with the second concern: that Google will switch Chrome users to its own DNS servers, giving Google concentrated power over DNS. Google’s response here is simple.

“Google has no plans to centralize or change people’s DNS providers to Google by default,” the company said in an email to Ars Technica. “Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate.”

Google laid out its plans in detail in a September 10 blog post. Starting with version 78, Chrome will begin experimenting with the new DoH feature. Under the experiment, Chrome will “check if the user’s current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider,” Google wrote. “If the DNS provider isn’t in the list, Chrome will continue to operate as it does today.”

One possible reason for confusion on this point is that Mozilla is planning a more aggressive rollout of the technology. The company is planning to gradually shift all of its users to DoH—whether or not their existing DNS provider supports it. The shift will make Cloudflare the default DNS provider for many Firefox users, regardless of the DNS settings of the underlying OS.

Mozilla has more latitude to do this because most surveys show Firefox with single-digit market share—and Firefox isn’t a major DNS provider in its own right. So there’d be little basis for antitrust scrutiny if Mozilla shifts its users over to a new DNS provider. The same move could raise antitrust concerns if Google started switching Chrome users over to its own DNS. But Google says it has no plans to do that.

DNS over HTTPS means ISPs can’t spy on their users

Google CEO Sundar Pichai.

Enlarge / Google CEO Sundar Pichai.
Simon Dawson/Bloomberg via Getty Images

Telecom companies also raised a second concern that applies even if Google doesn’t shift anyone to its own DNS servers. Put simply: the lack of DNS encryption is convenient for ISPs.

ISPs sometimes find it useful to monitor their customers’ Internet traffic. For example, queries to malware-associated domains can be a signal that a customer’s computer is infected with malware. In some cases, ISPs also modify customers’ DNS queries in-flight. For example, an easy way to block children from accessing adult materials is with an ISP-level filter that rewrites DNS queries for banned domains. Some public Wi-Fi networks use modified DNS queries as a way to redirect users to a network sign-on page.

Some ISPs also use DNS snooping for more controversial purposes—like ad targeting or policing their networks for copyright infringement.

Widespread adoption of DoH would limit ISPs’ ability to both monitor and modify customer queries. It wouldn’t necessarily eliminate this ability, since ISPs could still use these techniques for customers who use the ISP’s own DNS servers. But if customers switched to third-party DNS servers—either from Google or one of its various competitors—then ISPs would no longer have an easy way to tell which sites customers were accessing.

ISPs could still see which IP addresses a customer had accessed, which would give them some information—this can be an effective way to detect malware infections, for example. But this is a cruder way to monitor Internet traffic. Multiple domains can share a single IP address, and domains can change IP addresses over time. So ISPs would wind up with reduced visibility into their customers’ browsing habits.

What would a switch mean?

But a switch to DoH would clearly mean ISPs had less ability to monitor and manipulate their customers’ browsing activity. Indeed, for advocates that’s the point. They believe users, not their ISPs, should be in charge.

Mozilla, which is pushing DoH more aggressively than Google, has taken steps to avoid creating too much chaos in the process. In July, Mozilla said that it wouldn’t enable DoH by default in the UK, where ISPs are planning to use DNS to implement legally mandated porn filtering.

Before enabling DoH, Firefox will check if a computer has parental control software installed. In enterprise settings, Mozilla will try to figure out if a switch to DoH will break corporate Intranet features that depend on using specific DNS servers. Firefox will continue using the existing DNS servers in these cases.

So far, Google is only enabling DOH for a select number of whitelisted DNS providers, so the switch shouldn’t cause too many problems. If the company goes beyond that, we can expect it to take measures similar to those Mozilla has taken.

In any event, it’s hard to see a policy problem here. ISPs’ ability to eavesdrop on their customers’ DNS queries is little more than a historical accident. In recent years, websites across the Internet have adopted encryption for the contents of their sites. The encryption of DNS is the natural next step toward a more secure Internet. It may require some painful adjustments by ISPs, but that hardly seems like a reason for policymakers to block the change.