NSA warns of dns-over-https risks for corporate networks

The American security service NSA warns companies against the use of dns-over-https. According to the NSA, there are many risks with DoH that can cause companies to lose control over their DNS traffic. The service therefore advises companies to pay close attention.

The National Security Agency warns against the implementation of dns-over-https in a bulletin to the American business community . The security service lists the pros and cons of DoH. “As encrypted DNS requests are gaining in popularity, network administrators need to have a good understanding of how to implement it on their own networks,” the service writes.

In the bulletin, the NSA explains what DoH is and what its benefits are, but a significant portion is about the potential risks. For example, the NSA warns against a ‘false sense of security’, the possibility of bypassing DNS monitoring and the dangers of incorrect configuration. “While dns-over-https provides greater privacy for home users, it can pose risks in enterprise environments if not properly implemented,” said the NSA. The service therefore advises companies to look closely at that implementation, so that companies only use the resolver of the company itself.

The NSA says that DoH is easy to set up on many local devices, but that more and more standalone software or equipment is also using DoH and that administrators should be aware of this by disabling or blocking alternative resolvers.

With dns-over-https, dns requests are encrypted. In theory, this is good for the privacy of users because, for example, providers can no longer read the requests, but the requests instead go through commercial parties such as Google or CloudFlare and, if possible, create more privacy risks. More and more different software makers are implementing their own version of DoH, but all those different implementations make it difficult to monitor centrally. For example, Google has a different implementation in Chrome than Microsoft that controls it directly via the operating system, and Apple also uses its own implementation.


Subscribe to our Newsletter