Cognito and DNS over HTTPS (DoH)

From time to time, new privacy or security options for browsing the internet are proposed and adopted by web services and software providers which may change how a fundamental piece of the web or internet experience is implemented. A natural question to ask is, "how would the implementation of this change in my network impact the security coverage I have through Vectra Cognito?"
DNS over HTTPs or DOH is one such case where public DNS providers and web browser developers can provide the option to have DNS queries made to their servers encrypted within and https request instead of in cleartext over the DNS protocol. Like many encryption efforts there are trade offs around preventing man in the middle attacks at the expense of visibility for monitoring purposes and detecting other types of attacks.   
Recommended Action for Enterprises
It is broadly recommended for enterprises to configure applications to disable DoH use (Firefox and Chrome both respect local policies pushed through domains and have configurations to disable DoH) and to block known DoH servers at the perimeter. These steps will enable the security function to continue to benefit from domain context across a range of activities/processes and technologies central to the security function.
DoH is widely recognized as a privacy enhancing measure but not a security preserving measure (recognizing these are fundamentally different). Allowing the use of DoH in an enterprise environment represents a security risk, not only in an organization’s ability to monitor, but in their ability to actually respond to incidents within an environment and will ultimately result in a loss of visibility and increase in work required by security teams.
How Cognito is impacted by DoH
From the perspective of Cognito Detect, the ability to detect attacker behaviors would be minimally affected as many of the models use DNS data predominantly for context as opposed to being central to their functioning. Two exceptions where the detection model itself relies on DNS traffic would be:
1. DNS Tunnel – will not work a DNS Tunnel over DoH
2. Suspect Domain – will not work on DoH traffic
It is important to note that Cognito relies on more than DNS traffic to identify a domain for a connection. In addition to DNS resolution, it also considers the SNI of the HTTPS connection (so long as Encrypted SNI is not enabled) and the host header of HTTP connections. There are also some conditions necessary for DoH to work properly which, if not present, will force applications to revert to standard DNS.
DOH with Encrypted SNI 
DoH also comes with the option to encrypt the SNI (ESNI) in addition to making the DNS request within the encrypted tunnel. If ESNI disabled, then the Command and Control and Exfiltration models that leverage SNI information will still function as expected (with the exception of the two mentioned above).  If ESNI is enabled then detection models that utilize the SNI information will be impacted as well. 
Was this article helpful?
1 out of 1 found this helpful

Download PDF

Have more questions? Submit a request


Article is closed for comments.