DNS-over-HTTPS does not fully prevent threat actors from seeing a user’s traffic. How can WFH and 5G security be tightened regionally?
Organizations rely heavily on enterprise infrastructure to protect users and application traffic, which should support users who work in-person.
However, as remote-working and hybrid work arrangements become a routine, IT teams are seeing continual changes in the threat environment, and cybercriminals are using more sophisticated techniques to bypass firewalls.
One viable option to overcome these challenges has been the use of DNS-over-HTTPs (DoH), as it is accessible and improves DNS security with an extra layer of added security.
Pros and cons of DoH
DoH secures traffic up to the resolver, with the objective to increase DNS security and address privacy issues by securing communication between application and the resolver, and ensuring a single configured endpoint. In this instance, resiliency ends up more complex as the DoH provider needs to set up either multiple servers and be more open to malware attacks, among other issues; hence defeating its intended purpose.
That said, DoH does not replace DNS, but requires DNS to function, as their resolvers gather useful information. As the initial recipient for user traffic, the resolver is able to know what the user intends to do, and the site to visit. If in the flow of a DNS request the application performs to the DoH provider, some also go to the same provider for application services, which can potentially cause data privacy issues for enterprises and organizations.
Given this, the recent National Security Administration’s recommendation on DoH is relevant and poignant. Conventional security protocols such as firewalls are limited in effectiveness as they impact service continuity and user experience. Considering that organizations (and cities) are increasingly invested in digital transformation, the role of DNS seems more crucial in privacy and encryption, especially where a single hit could disrupt crucial services.
Using DoH with an untrusted public DNS service risks misuse of browsing data and reveals applications being utilized. In order to improve protection of a remote workforce, an extended private DNS recursive service and independently-managed DoH could provide the required security.
DNS and 5G security risks
DNS solutions that combine encryption and intelligent filtering bring a first line of defense for any IT user of the organization. as South-east Asia continues to evolve and establish a consolidated strategy to privacy, a secure DNS solution will be key for establishment of resilient widespread digital infrastructure.
This is even more so when cities embark on 5G deployment strategies in the Asia Pacific region. Organizations and governments will be better off with a private infrastructure, which can ensure that DNS traffic from users rely on the organization’s infrastructure that allows the company to provide additional services such as security, filtering and observability.
An ideal DNS solution is one that can easily manage DoH natively but also be integrated into a wider ecosystem where DoH is managed by edge solutions closest to users. Using the same security policies for resident and remote workers can enhance overall security.
In the context of today’s threat landscape, this brings more value with minimum effort.