The way governments deal with cybersecurity monitoring has never been more at the forefront of industry discussions, particularly with ongoing debate in the UK around the Investigatory Powers Bill raising the question of how – and if – governments should monitor data transmissions.
One particularly contentious aspect of this, the issue of encryption, is now extending to the Domain Name System (DNS), especially as government agencies move ever closer towards what’s known as pervasive monitoring of computer communications.
Believing that information should be protected from snooping, the Internet Engineering Task Force (IETF), an open international community of network designers, operators, vendors, and researchers, has developed the DNS PRIVate Exchange (DPRIVE) Working Group to provide data privacy to DNS transactions. As part of this initiative, the IETF proposes running DNS over the Transport Layer Security (TLS) cryptographic protocol, which is widely used to secure communications between web browsers and web servers.
Businesses should now give serious consideration to the potential ramifications of this, and the effect it might have on their security and network capacity. While it’s not yet clear how it will all play out, the topic has already led to much discussion both in favor of and against deeper levels of DNS encryption.
Everything Encrypted
DNS traffic can reveal a number of details on what a person is doing on the internet. It can give away which websites are being visited, for example, what email systems a user is interacting with, and what software they’re running.
A repressive regime could use DNS traffic to monitor the online activity of its citizens, for example, searching out those who look up the name of a VPN server run by an outside organization that could help dissidents communicate with the outside world.
The IETF argues that, if what it calls state-sponsored, pervasive surveillance of internet traffic means everything is being snooped on, then everything should be encrypted – including communication between DNS servers and those on the internet.
Encrypted DNS traffic would still be subject to certain types of analysis, meaning hackers might be able to carry out some traffic tracking, but they would only be able to tell that a .com server was being queried, rather than which actual domain name the DNS server was asking about.
Performance Issues and Expense
Using encryption to protect the, somewhat limited, amount of information carried in DNS traffic may not be worth the impact it has on an organization’s network and its users, however.
Given the amount of sensitive information that travels over them, it does make sense to encrypt HTTP traffic or email. Encrypting DNS, however, can lead to performance issues, as the complexity involved slows down processes and makes them more fragile.
If encryption takes off, then TLS is likely to become the norm for DNS queries. Sending queries over TLS is more expensive than sending them over the User Datagram Protocol (UDP), however, and the capacity of DNS servers to send queries will be reduced, leading to an increase in latency throughout the ecosystem, and increased costs as more networking power is required to cope with the problem.
Beyond the effects on performance, encryption can have an impact on other network security efforts. If traffic is encrypted when communicating with outside parties, then it becomes impossible to examine traffic entering or leaving the network perimeter. Exfiltration attempts can be missed, for example, and the deep inspection of traffic carried out by next-generation firewalls looking for malicious behavior can be thwarted.
That said, even though firewalls may not be able to observe encrypted traffic, DNS servers are still able to see everything, and encryption offers the additional benefit of integrity checking and authentication, avoiding cache poisoning attacks.
A Potential Internet Standard
If organizations do start encrypting DNS, it’s possible that governments will simply look for weak points and exploit them, obtaining court orders and tapping into ISP’s resolvers to see what the traffic is. Decrypting the data will make it harder for a government to find the information they’re looking for, but it won’t solve the problem; instead, they’ll need to work more closely with ISPs and organizations involved in DNS resolution.
DPRIVE’s efforts are gaining momentum though, and DNS encryption may yet become an internet standard.
The silver lining in all of this is that, in discussing the potential implications of encrypted DNS traffic, businesses are becoming increasingly aware of the importance of protecting their network and employing solutions such as DNS firewalling or DNS analytics to do so.