{"id":1411,"date":"2019-02-22T22:04:15","date_gmt":"2019-02-22T22:04:15","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=1411"},"modified":"2021-01-28T08:47:19","modified_gmt":"2021-01-28T16:47:19","slug":"dns-dot-doh-for-service-providers-and-regulators","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/dns-dot-doh-for-service-providers-and-regulators\/","title":{"rendered":"DNS DoT\/DoH for Service Providers and Regulators"},"content":{"rendered":"

In a separate blog post, Cricket covered the last-mile security problem for DNS, solutions developed by the IETF, and our recommendations to enterprise administrators.\u00a0 You should read that post before reading this post <\/a>.\u00a0 This blog post will cover the security risks, competitive, user experience, and legal impacts to Service Providers and Regulators and Enumerate Infoblox recommendations.<\/p>\n

\"Aligning<\/p>\n

Concerns for Service Providers and Regulators<\/strong><\/p>\n

LTE networks are not immune to the last-mile security problem in DNS.\u00a0 Last year a team of academics at Ruhr University Bochum and NYU demonstrated an attack that can hijack DNS on LTE networks.\u00a0 DoT and DoH are both possible solutions to this.\u00a0 The full writeup of the attack is posted at\u00a0https:\/\/alter-attack.net\/<\/a><\/p>\n

Cloud DNS providers create numerous competitive, user experience and legal concerns.\u00a0 Some are owned by content delivery networks and other large technology companies.\u00a0 The cloud DNS providers may be direct competitors to the service provider or each other.\u00a0 The SP and regulator may have little or no influence over commercial issues between the cloud DNS provider and their competitors or customers.\u00a0 Competitors could choose to route each other\u2019s traffic to slower-responding sites or take other liberties with the user experience. DNS is the first message in most IP conversations, so low latency is critical to user experience.\u00a0 Routing DNS off the SP network will always make the DNS experience slower. Several cloud DNS providers are being actively misleading in their marketing of DNS response time.\u00a0 Service providers could address this by publishing comparative DNS latency statistics.\u00a0 Cloud DNS services are implemented worldwide.\u00a0 This means the DNS traffic can be subject to observation, spying or other alteration based on legal orders from governments outside of the service provider\u2019s territory.\u00a0 Blocking resolution of malicious and illegal content is a major concern.\u00a0 Implementing these regulatory obligations is challenging or impossible when there is no business relationship or legal authority over a company outside of the service provider\u2019s network or legal territory.\u00a0 Customer use of cloud DNS services also prevents the service provider from offering subscriber-facing services like parental control or security services over DNS.<\/p>\n

DNS over HTTPS creates unique support problems for the service provider.\u00a0 DoH traffic is indistinguishable from regular HTTPS traffic. \u00a0The most common implementation of DoH occurs between the browser and a cloud DNS provider, not the OS resolver and the SP\u2019s DNS service.\u00a0 \u00a0It\u2019s important to have support teams trained to identify if DoH clients are installed or browser-level settings have been altered.\u00a0 This could result in an app on User Equipment(UE) that behaves differently when run via the browser or in the UE OS.\u00a0 The SP\u2019s support team could also examine local and network-based logging systems to determine if known DoH server addresses have been accessed by the UE recently.<\/p>\n

Recommendations for Service Providers<\/strong><\/p>\n

For the above reasons, Infoblox recommends direct implementation of DoT by mobile and fixed providers.\u00a0 Now is the time to start planning for CY 2020 implementation.\u00a0 To prepare for this, Infoblox suggests working with UE software and hardware makers in the following areas:<\/p>\n