New DNS transport protocol makes security checks harder!

NCSC argues that increased adoption of new DNS transport protocols may make controls security an ineffective organization. The NCSC recommends that organizations select from the proposed DNS resolvers and configure them into administratively controlled devices to prevent potential DNS risks.

The Netherlands National Cybersecurity Center has published a newsletter explaining how the new DNS transport protocols will make DNS tracking more difficult. This results in negative side effects, such as disruption of connectivity.

Google and Mozilla are running concurrent tests DNS-over-HTTPS (DoH) for their browsers.

• The Google Chrome browser will only upgrade to a provider's DoH server if it appears in a list of approved results, if not go to a list of alternative providers (e.g., Cleanbrowsing, CloudFlare, DNS.SB, Google, OpenDNS, Quad9).
• Mozilla experiment to enable DoH by default and to set up server DoH Cloudflare instead of your existing DNS provider has already been criticized by network administrators and distribution managers Linux.

To mitigate some of these DNS risks, network administrators are required to decide who DNS resolver it is preferred and regulated in all systems under administrative control.

For devices that are not under their control, administrators should limit network-level risks to certain applications, such as Mozilla Firefox.

To maintain monitoring DNS as an effective measure, it is necessary to make changes to the DNS infrastructure and endpoints. As the NCSC reported, while centralized DNS monitoring in networks has been feasible so far, this centralized approach will continue to reduce efficiency over time.