Even asking for directions can lead to trouble…
How do you find your way on the Internet? Or rather, how does your computer find its way? When you type in an email address or click on a link, your browser automatically displays the correct site, thanks to the magic of the Domain Name System (DNS) which acts as a kind of phone directory – remember those? – translating names to numbers.
So, if you want to go to a particular web site or other internet resource, requests go out to a DNS resolver, either within your companies’ network, or perhaps somewhere on the other side of the world, and the resolver sends the answer back in the form of an IP address which can then be used to direct you to the right resource. These resolvers are replicated throughout the world, so that there is only ever one possible answer to the question “Where is X?”.
However, this method of doing things has a disadvantage. Even if the requested connection is to a secure site, with the data flowing backwards and forwards being encrypted, the initial request for directions is made in plaintext. It is therefore possible for a malicious threat actor to find out exactly which internet resource is being requested, even if they have no knowledge of the actual request being made. This may happen even when the DNS resolver is located inside a company network – a device on the network could be monitoring all DNS requests for the attackers nefarious purposes.
This leads to the possibility of a ‘man in the middle’ (MITM) attack, where the bad actor pretends to be a legitimate DNS resolving resource but redirects the request to the wrong server – one operated by the bad guys. This could pretend to be an online auction site, a bank, or any other site that helps the operators obtain sensitive and/or financial information. Current attacks pretend to be Office 365 sites and capture users login details allowing an attacker to access a user’s email inbox.
To that end, America’s National Security Agency recommends that DNS requests are made over HTTPS (DNS over HTTPS = DoH) to a designated enterprise DoH DNS resolver. In that way, the requests are made invisible to any eavesdropper. However, it is important that this DoH resolver be an in-house resource. If an application goes outside the enterprise for this information, the risk of a man-in-the-middle attack still applies.
It should be noted that this does not prevent the ‘poisoning’ of the in-house DNS cache, as the result of an attack on an external DNS resolver further upstream. This is an older attack vector, but it still works in some environments.
Furthermore, even if all DNS-related traffic is encrypted, there is still the possibility that a log of IP addresses, and their DNS requests can be used to create profiles of users.
This last point can be overcome by the implementation of Oblivious DNS-over-HTTPS (ODoH), a newer protocol developed by a consortium including Apple and Cloudflare, which decouples the requested IP addresses from requests, making it more difficult to produce the list referred to earlier.
If all this sounds like GAS (Geek Alphabet Soup) to you, and you feel your head spinning, why not talk to us at First Response, where our experienced cybersecurity experts can advise you on how your network can be better protected from many kinds of attacks, including this, and help implement a secure environment, together with 24/7 proactive monitoring.

