The US federal government has been protecting its users by blocking malicious destinations for years, but it won’t let them take advantage of the latest protective measure in DNS – encryption – just yet. Last month, the US Department of Homeland Security warned government agencies that they’re legally bound to use an internal system that won’t support this feature.
The DHS’s Cybersecurity & Infrastructure Security Agency (CISA) published a memorandum on April 21 warning agency CIOs that they’re legally bound to use its internal EINSTEIN network security system when resolving DNS queries. That means that they can’t yet take advantage of technologies that stop people from snooping on or even hijacking their DNS queries.
EINSTEIN began as an intrusion detection system designed by the DHS’s US-CERT. Version 1 allowed the Agency to monitor traffic across all government networks, while version 2 spotted suspicious traffic. Version 3 (Einstein 3 Accelerated, or Einstein 3A), went further, preventing unwanted intrusions by known bad actors. It offers useful DHS-specific services like sink-holing that override public DNS records by blocking access to destinations that the DHS knows to be malicious. It also lets the DHS examine all DNS requests made by government users, of course.
One thing it still doesn’t do, though, is to encrypt DNS lookups. This is important, especially in networks whose users deal with sensitive information. The Domain Name System is what translates URLs like
nakedsecurity.sophos.com into IP addresses. It’s an address book for the internet. When a computer looks up a domain in that address book, it goes to a DNS resolver, which delivers the answer (sometimes asking other DNS resolvers in the process). The DNS resolver is usually your ISP, but users who control their own devices can also set alternatives, including those operated by companies like Google and Cloudflare.
When the DNS was created in 1987, no one built encryption into it. This means that computers sent DNS queries in plain text by default. Anyone who could intercept them could look at the places you’re visiting and even alter them, potentially sending you to a malicious site and phishing you or infecting your device. This includes not just someone snooping on your wireless connection, but also your ISP or the owner of the network you’re connected to. This is called DNS hijacking, and the US government has already warned agencies about it.
Two types of DNS encryption have emerged to solve that problem. The first is DNS over TLS (DoT). This uses Transport Layer Security (TLS) – the successor to SSL – to encrypt the queries directly and verify the server’s identity using digital certificates. This technique uses port 853 rather than the traditional DNS port, 53, which might cause existing firewall configurations to block those queries. DNS over HTTPS (DoH), solves that problem by using HTTPS, the TLS-encrypted version of HTTP. HTTPS uses port 443, which is so commonly used that a firewall is unlikely to lock it down.
Not all DNS resolves support these techniques. In the memorandum, CISA director Chris Krebs explained that EINSTEIN 3 doesn’t.
DoH and DoT add desirable security features to DNS resolution; however, federal agencies that use DNS resolvers other than E3A lose the protection that defensive DNS filtering provides, and E3A does not currently offer encrypted DNS resolution.13 CISA intends to offer a DNS resolution service that supports DoH and DoT in time. Until then, agencies must use E3A for DNS resolution.
All is not lost, though. EINSTEIN 3A does tunnel all traffic to and from devices that are physically or virtually connected to agency networks, including their DNS queries. Krebs also pointed out that while agencies must use E3A as their primary upstream resolver, they are still free to stipulate their own fallback options supporting DoH or DoT that would kick in if E3A stops working. These can include encrypted DNS resolvers in their own infrastructure, or public upstream resolvers (it cites Google and Cloudflare as examples).
Why is the DHS reminding federal government CIOs about this now? The advisory itself points to one likely reason: browser developers are introducing support for DoH. Mozilla announced last September that it would be a default feature in Firefox, and Google has also announced an “experiment” with DoH in Chrome. The two organisations approach this differently, with Firefox choosing a DoH resolver of its own (Cloudflare) and Google just using the protocol if the user’s existing resolver supports it.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
7 comments on “Uncle Sam to agencies: No encrypted DNS for you!”
DoT and DoH just change the entity who knows everything about your DNS queries. In ordinary DNS, it will be whoever controls your DNS server – usually, but not necessarily, your ISP. With DoT or DoH, it will be companies like Google and Cloudflare. Are they more trustworthy than your ISP?
The only way to get DNS privacy is to have full control of your DoT/DoH server – which is going to be the case for very, very few individuals. This aside, DoH is a boon for malware dissemination tunneled within DNS (especially bot controllers) by making use of a port (443) that, for the most part, can’t be blocked.
DoT and DoH are very bad ideas (especially the latter) packaged as virtuous intentions.
Encrypted DNS does nothing with regard to privacy. Even though your website to IP address lookups are encrypted, you are still visiting the website’s IP and that fact can be seen by the network infrastructure (ISP, etc). Also, DNS highjacking generally involves compromising your modem/router. So if your router is set to use encrypted DNS and then is comprised…I think you get the picture.
HTTP uses port 80, while HTTPS uses port 443. I assume that it’s just a typo in your article.
Typo, fixed, thanks!
Huh? What is the typo?
It’s gone because I fixed it :-) I originally wrote “DNS over HTTPS [uses] HTTPS. […] HTTP uses port 443,” but I corrected it following the OP’s comment to say “HTTPS uses port 443.”
Sound like a little bit of whining. Department of whatever uses the network provided by the govt. So they can dictate what is used where. The DNS forwarders can still be whatever the required DNS servers are. This keeps DNS lookups in house and away from prying eyes at Google or Cloudfare. Meaning they have no business tracking what lookups come from what areas of the govt network. The central DNS will make those requests. As far as going down… just as Google does, govt can have multiple DNS servers.