Why is DNS security critical?
Trade-offs of using DoT
In the real case, the new DNS protocol makes it more difficult to be used for immoral purposes. But, it will make it challenging to get the internal security mechanism to work as well. However, enterprises always want to maintain internal security control over their DNS server. For those use cases, the new protocols come with notable security trade-offs
- Bypassing enterprise controls: Although DoT provides the solution to gain the DNS level security by encrypting the DNS requests and response, it might unconsciously bypass enterprise contents control.
- DNS server performance reduction: traditional DNS depends on UDP, User Datagram Protocol, and it is unreliable but more efficient. DNS over TLS will run over the TCP, Transmission Control Protocol, which needs more resources on your local DNS server. Apart from that, using TLS requires your DNS server to encrypt queries and decrypt responses, and the size of DNS packets will also increase accordingly. Adding more resources needs to be put into consideration if the same performance is required.
- Education for end-users: DoT is in constant development, bringing challenges to the existing infrastructure. All managers and architects, whether they are running infrastructures on public cloud or private networks, should be aware of the evolution.
- Choosing a reliable DNS provider, who will guarantee 100% uptime and using technology like anycast to perform resiliently.
- Starting Looking after your security concern. Your DNS server should proactively respond to threats. You should be able to use the Internet’s infrastructure to block malicious and unwanted domains, IP addresses, and cloud applications before a connection is ever established.
- Blocking direct DNS requests is a good place to start. Between the internal users and DNS providers on the Internet, there should be another step in the middle, like local DNS infrastructure. It would allow the administrator to comprehensively apply DNS policy without getting end-users involved.
- Making sure all queries are accountable. Your administrator is capable of seeing logs for all DNS activity to simplify investigation. The logs will also be the reference for security decisions.