Vectra Provides Explicit DoH Coverage
Vectra Hidden HTTPS Tunnel detection is able to detect remote control channels that leverage DNS over HTTPS. Vectra's machine learning algorithm looks for DoH behavior in the sub-second data fluctuations that occur during communications over these encrypted channels. The behavior is identified in real-time so that attackers can be stopped before they progress their attack.
What is DNS over HTTPS
From time to time, new privacy or security options for browsing the internet are proposed and adopted by web services and software providers which may change how a fundamental piece of the web or internet experience is implemented.
DNS over HTTPs or DOH is one such case where public DNS providers and web browser developers can provide the option to have DNS queries made to their servers encrypted within and https request instead of in cleartext over the DNS protocol. Like many encryption efforts, there are trade-offs around preventing man-in-the-middle attacks at the expense of visibility for monitoring purposes and detecting other types of attacks.
Recommended Action for Enterprises
It is broadly recommended for enterprises to configure applications to disable DoH use (Firefox and Chrome both respect local policies pushed through domains and have configurations to disable DoH) and to block known DoH servers at the perimeter. These steps will enable the security function to continue to benefit from domain context across a range of activities/processes and technologies central to the security function.
DoH is widely recognized as a privacy-enhancing measure but not a security-preserving measure (recognizing these are fundamentally different). Allowing the use of DoH in an enterprise environment represents a security risk, not only in an organization’s ability to monitor but in their ability to actually respond to incidents within an environment and will ultimately result in a loss of visibility and increase in work required by security teams.