{"id":4771,"date":"2020-02-20T11:32:39","date_gmt":"2020-02-20T19:32:39","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=4771"},"modified":"2021-04-08T16:51:23","modified_gmt":"2021-04-08T23:51:23","slug":"security-risk-with-unauthorized-external-dns-resolvers","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/","title":{"rendered":"Security Risk with Unauthorized External DNS Resolvers"},"content":{"rendered":"

Using external DNS providers has always been a questionable idea for an enterprise. The Internet Domain Name System (DNS)<\/a> helps end-user applications acquire the IP address of their destinations. Enterprises want to enforce policy controls regarding Internet access that align with their business needs, and the associated policy controls are most effectively implemented using authorized, internal corporate DNS servers.<\/p>\n

Firefox and Chrome have recently begun supporting external DNS resolvers in the cloud. The use of these DNS services bypasses controls that enterprise IT organizations put in place to prevent end users from visiting unauthorized Internet destinations. Compounding the issue is that certain operating systems and browsers use new encryption technologies\u2014DNS over TLS (DoT) and DNS over HTTPS (DoH)\u2014in the query response handshake with these unauthorized DNS services that make them harder to block.<\/p>\n

\"\"<\/p>\n

Figure 1: Use Infoblox DoT today<\/em><\/p>\n

As the industry leader in commercial DNS, Infoblox has the solution to the problem. Organizations can use Infoblox\u2019s recommended best practices to block encrypted DNS queries from end-user devices to unauthorized public DNS services, forcing the devices to fall back to their original and controlled DNS behavior. This approach consistently enforces corporate policy and reduces business risk.<\/p>\n

\"\"<\/p>\n

Figure 2: Block DoH today<\/em><\/p>\n

You can enforce corporate policies blocking access to unauthorized DoH resolvers in several ways: at the application or browser, at the stub resolver in the operating system, at the firewall or at the proxy server in your network. Please refer to Infoblox\u2019s Solution Note on blocking access to unauthorized cloud DNS services to ensure that your corporate security policies are being consistently enforced.<\/p>\n

Reference: Solution Note: DoT and DoH Present New Challenges<\/em><\/a><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Using external DNS providers has always been a questionable idea for an enterprise. The Internet Domain Name System (DNS) helps end-user applications acquire the IP address of their destinations. Enterprises want to enforce policy controls regarding Internet access that align with their business needs, and the associated policy controls are most effectively implemented using authorized, […]<\/p>\n","protected":false},"author":247,"featured_media":1635,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[2],"tags":[90,15,427],"class_list":{"0":"post-4771","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security","8":"tag-dot-doh","9":"tag-security","10":"tag-nios-8-x","11":"entry"},"acf":[],"yoast_head":"\nSecurity Risk with Unauthorized External DNS Resolvers<\/title>\n<meta name=\"description\" content=\"Firefox and Chrome have recently begun supporting external DNS resolvers in the cloud. DoT DoH DNS Infoblox\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Security Risk with Unauthorized External DNS Resolvers\" \/>\n<meta property=\"og:description\" content=\"Firefox and Chrome have recently begun supporting external DNS resolvers in the cloud. DoT DoH DNS Infoblox\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-02-20T19:32:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-04-08T23:51:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-11.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"660\" \/>\n\t<meta property=\"og:image:height\" content=\"454\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"PG Menon\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"PG Menon\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/\"},\"author\":{\"name\":\"PG Menon\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/c5a01da7db2d58edfbb231094dc37a3a\"},\"headline\":\"Security Risk with Unauthorized External DNS Resolvers\",\"datePublished\":\"2020-02-20T19:32:39+00:00\",\"dateModified\":\"2021-04-08T23:51:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/\"},\"wordCount\":283,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/security-banner-11.jpg\",\"keywords\":[\"DoT\\\/DoH\",\"Security\",\"NIOS 8.x\"],\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/\",\"name\":\"Security Risk with Unauthorized External DNS Resolvers\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/security-banner-11.jpg\",\"datePublished\":\"2020-02-20T19:32:39+00:00\",\"dateModified\":\"2021-04-08T23:51:23+00:00\",\"description\":\"Firefox and Chrome have recently begun supporting external DNS resolvers in the cloud. DoT DoH DNS Infoblox\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/security-banner-11.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/security-banner-11.jpg\",\"width\":660,\"height\":454},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/security-risk-with-unauthorized-external-dns-resolvers\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Security Risk with Unauthorized External DNS Resolvers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/c5a01da7db2d58edfbb231094dc37a3a\",\"name\":\"PG Menon\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_247_1608573000-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_247_1608573000-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_247_1608573000-96x96.png\",\"caption\":\"PG Menon\"},\"description\":\"PG Menon is Senior Director of Product Marketing at Infoblox. He was most recently Senior Director, at Aruba Networks, A Hewlett Packard Company where he was product marketing lead for its campus switching product line. Before Aruba, PG was senior director of technology strategy at Brocade Communications where he led several initiatives such as SDN and DevOps for cloud and datacenter markets. Prior to Brocade, PG was a founding executive in a number of startups. PG Menon has an MS EE from Rensselaer Polytechnic Institute and BS in EE from IIT, Varanasi, India.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/pg-menon\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Security Risk with Unauthorized External DNS Resolvers","description":"Firefox and Chrome have recently begun supporting external DNS resolvers in the cloud. DoT DoH DNS Infoblox","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/","og_locale":"en_US","og_type":"article","og_title":"Security Risk with Unauthorized External DNS Resolvers","og_description":"Firefox and Chrome have recently begun supporting external DNS resolvers in the cloud. DoT DoH DNS Infoblox","og_url":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/","og_site_name":"Infoblox Blog","article_published_time":"2020-02-20T19:32:39+00:00","article_modified_time":"2021-04-08T23:51:23+00:00","og_image":[{"width":660,"height":454,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-11.jpg","type":"image\/jpeg"}],"author":"PG Menon","twitter_card":"summary_large_image","twitter_misc":{"Written by":"PG Menon","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/"},"author":{"name":"PG Menon","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/c5a01da7db2d58edfbb231094dc37a3a"},"headline":"Security Risk with Unauthorized External DNS Resolvers","datePublished":"2020-02-20T19:32:39+00:00","dateModified":"2021-04-08T23:51:23+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/"},"wordCount":283,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-11.jpg","keywords":["DoT\/DoH","Security","NIOS 8.x"],"articleSection":["Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/","url":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/","name":"Security Risk with Unauthorized External DNS Resolvers","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-11.jpg","datePublished":"2020-02-20T19:32:39+00:00","dateModified":"2021-04-08T23:51:23+00:00","description":"Firefox and Chrome have recently begun supporting external DNS resolvers in the cloud. DoT DoH DNS Infoblox","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-11.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-11.jpg","width":660,"height":454},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/security\/security-risk-with-unauthorized-external-dns-resolvers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.infoblox.com\/blog\/category\/security\/"},{"@type":"ListItem","position":3,"name":"Security Risk with Unauthorized External DNS Resolvers"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/c5a01da7db2d58edfbb231094dc37a3a","name":"PG Menon","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_247_1608573000-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_247_1608573000-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_247_1608573000-96x96.png","caption":"PG Menon"},"description":"PG Menon is Senior Director of Product Marketing at Infoblox. He was most recently Senior Director, at Aruba Networks, A Hewlett Packard Company where he was product marketing lead for its campus switching product line. Before Aruba, PG was senior director of technology strategy at Brocade Communications where he led several initiatives such as SDN and DevOps for cloud and datacenter markets. Prior to Brocade, PG was a founding executive in a number of startups. PG Menon has an MS EE from Rensselaer Polytechnic Institute and BS in EE from IIT, Varanasi, India.","url":"https:\/\/www.infoblox.com\/blog\/author\/pg-menon\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4771","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/247"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=4771"}],"version-history":[{"count":7,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4771\/revisions"}],"predecessor-version":[{"id":6211,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4771\/revisions\/6211"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/1635"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=4771"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=4771"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=4771"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}