Quantifying the Impact of Encrypted DNS for Network Defenders
Vložit
- čas přidán 24. 08. 2024
- DNS-layer security is often used by incident response teams to enforce policy and gain visibility. Privacy enhancing protocols, such as DNS-over-HTTPS (DoH) and DNS-over-QUIC (DoQ), encrypt DNS requests and responses, increasing the user’s privacy at the expense of traditional security functions. In this presentation, we examine the prevalence and impact of encrypted DNS in a modern enterprise environment, which is particularly important given the role encrypted DNS plays in other privacy enhancing protocols such as Encrypted Client Hello (ECH) and Multiplexed Application Substrate over QUIC Encryption (MASQUE). With this analysis, we show that while a few major encrypted DNS providers dominate, there exists a long tail of less popular encrypted DNS servers with several new servers coming online weekly. Our dataset includes network and endpoint information from enterprises and malware sandboxes. The presentation highlights how unsanctioned DoH and DoQ can evade traditional DNS policy enforcement. Furthermore, we examine the set of client processes, including malware, that use these evasion techniques. Finally, we present a methodology and open-source tools to identify encrypted DNS servers given passively collected network data, Internet-wide scan data, and targeted scans.
Speaker: Blake Anderson
Senior Technical Leader, Cisco
