What is DNS
over HTTPS (DoH)
A Brief History of DNS
The domain name system (DNS) functions as the internet’s address book and is involved in almost every type of internet action. While the original design has scaled to meet the demands of today’s internet, the need for addressing privacy concerns is a new challenge that requires innovation. Standard, unencrypted DNS has become a popular attack vector for malicious actors who execute DNS hijacking attacks, in which they redirect legitimate traffic to their own malicious servers, allowing them to intercept login credentials and sensitive data.
The upgrade to DNS
over HTTPS (DoH)
DNS 2.0 and encrypted DNS, DoH uses HTTPS to encrypt DNS requests to ensure that each request stays private and is only fielded by the intended DNS server. This, in turn, helps prevent spying, DNS hijacking and other threats.
The Path Forward
The NSA recommends that while encrypted DNS such as DoH has privacy and security advantages, businesses must carefully control available DNS resolvers on their networks and that all other DNS resolvers be disabled or blocked. Since DoH is encrypted and runs on the same port as HTTPS traffic, it requires a firewall that is capable of inspecting SSL traffic, which is both expensive and problematic.
Privacy and Security with Webroot® DNS Protection
Although many commercial network/DNS filtering solutions are not yet capable of handling this traffic correctly, the Webroot® DNS Protection agent already secures DNS requests by using DoH for all of its communications. Not only was Webroot® DNS Protection the first DNS security product on the market to support both privacy and security with DoH, but it also leverages BrightCloud® Threat Intelligence to identify and block alternate DoH connections. This means you can still benefit from the power of DNS filtering with the privacy and security of DoH. By securing remote and onsite users, devices, and networks, Webroot DNS Protection is the simple and effective solution to fulfill the NSA’s recommendations.
