As the popularity of modern secure DNS protocols grows in popularity, DNS monitoring becomes more difficult, according to the Netherlands National Cybersecurity Center (NCSC). The view is set out in a fact sheet published last week. This document is intended as a reference for network administrators and CTOs wishing to migrate to DNS over TLS (DoT) and DNS over HTTPS (DoH).
DoT and DoH allow domain name resolution over a secure HTTPS connection instead of using standard plaintext DNS queries. Nevertheless, according to NCSC experts, the widespread use of encrypted DNS transport protocols makes it difficult for information security specialists to monitor DNS traffic.
DoT and DoH do protect against interception of DNS requests, but they also "render the defenses implemented in organizations useless, leading to disclosure of internal domains and disconnections." This is because the software uses third-party DNS resolvers instead of system-level DNS resolvers. These "side effects" can be eliminated only at the level of the DNS infrastructure and each individual device, but not at the network level, experts warn.
“The NCSC encourages organizations to select their preferred DNS resolvers, configure them under administrator control, and take into account the benefits of modern DNS transports,” says the fact sheet.
