'DNS over HTTPS is a new protocol that protects domain-lookup traffic
from eavesdropping and manipulation by malicious parties. Rather than
an end-user device communicating with a DNS server over a plaintext
channel—as DNS has done for more than three decades—DoH, as DNS over
HTTPS is known, encrypts requests and responses using the same
encryption websites rely on to send and receive HTTPS traffic.
Using DoH or a similar protocol known as DoT—short for DNS over TLS—is
a no brainer in 2021, since DNS traffic can be every bit as sensitive
as any other data sent over the Internet. On Thursday, however, the
National Security Agency said in some cases Fortune 500 companies,
large government agencies, and other enterprise users are better off
not using it. The reason: the same encryption that thwarts malicious
third parties can hamper engineers’ efforts to secure their networks.
“DoH provides the benefit of encrypted DNS transactions, but it can
also bring issues to enterprises, including a false sense of security,
bypassing of DNS monitoring and protections, concerns for internal
network configurations and information, and exploitation of upstream
DNS traffic,” NSA officials wrote in published recommendations. “In
some cases, individual client applications may enable DoH using
external resolvers, causing some of these issues automatically.”'
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304