Prepare for DoT and DoH: factsheet available
The NCSC publishes the factsheet DNS monitoring will get harder. New DNS transport protocols make it harder to monitor or modify DNS requests. This is beneficial on today’s untrusted networks. At the same time the shift may render your organisation’s security controls ineffective, expose internal naming or break connectivity. These negative side effects are hard to mitigate at a network level and require mitigation at DNS infrastructure and individual devices.
Encrypted transports for DNS are gaining popularity. Increasingly software no longer uses system level DNS resolving. Your organisation may unwittingly start to hand off responsibility for DNS resolving to a third party. This can render security controls ineffective, expose internal naming or break connectivity.
The NCSC has the following advice for organisations:
- Decide on preferred resolvers.
- Configure these preferred resolvers on all devices under administrative control.
- Take note of the benefits provided by modern DNS transports.
Additional detail and perspective for action is available in the factsheet DNS monitoring is getting harder.