Remote Worker Protection Using DoH

Most organizations now have remote workers and need to provide them with maximum comfort and security to perform their operations. We all know that DNS can be abused to carry out very powerful attacks, animate botnet activities, exchange data with command and control servers or for exfiltrating valuable information. Remote workers always use the public infrastructure from each ISP to connect back to the organization’s IT system and to consume SaaS or cloud services and applications. This shared and public infrastructure is neither easy to control nor to trust, and relying on a centralized DNS infrastructure owned by one of the internet giants can be risky for an organization with regards to data privacy. We at EfficientIP are convinced that using a private infrastructure for DNS resolution and security is a smart step towards improved control and better protection of the remote workers.

DNS provider for SoHo: VPN is not ideal for cloud

There are multiple ways to use a specific DNS provider on a remote device, assuming that the service already exists:

• Using a VPN solution which automatically sets the DNS configuration to use the one within the organization’s boundaries – covers all usages of the application, can be controlled by VPN concentrator but generates network congestion at the organization Internet ingress so is not ideal for cloud based applications
• Using a manual or automatic system configuration which overrides the default DNS settings generally provided in the DHCP lease (from the ISP equipment) – this has the advantage of being globally applicable to any application used on the device
• Using a DNS tunneling protocol like DoT (DNS over TLS) or DoH (DNS over HTTPS) – DoH is currently mainly supported at the browser level and suits all applications accessed through the browser (no automatic discovery or configuration available yet)

A controlled DNS service is optimal for distributed apps

In order to cover hosting of multicloud applications which is a strong trend, most organizations now avoid use of a VPN for all their remote workers and try to limit this solution to specific application usage or to fulfill certain security constraints for which all traffic needs to go back to the organizational resources. With distributed users all relying on Internet and distributed applications hosted in public or private clouds, using a controlled DNS service hosted on a cloud infrastructure near the users is an optimal solution. It provides a private DNS resolving service, the ability to perform traffic analysis and filtering depending on the security policy in place. Furthermore, and very importantly for user privacy, it keeps the data related to traffic within the organization.

SOLIDserver DNS security protects data privacy

The SOLIDserver DNS security solution allows such deployment in the cloud and supports most DNS access protocols, over UDP, over TLS and over HTTPS. It can also support traffic being proxied through a DNS over HTTPS to DNS over UDP service, deployed near the DNS Guardian engine and providing efficiency through horizontal scalability, TLS offload, and client certificate verification if required. Once deployed, this private DoH secured solution can be used by any remote device of the organization including desktop and laptop computers, smartphones, and even IoT devices that may be used remotely. It protects the DNS request by avoiding eavesdropping through ciphering and keeps the requests away from public DNS providers that may make unauthorized use of this information.

Example of such implementation:

1. The home worker device looks for the DoH proxy address based on its name, this record is hosted in the corporate public DNS infrastructure
2. The DoH traffic is established for any subsequent request with one of the DoH proxies using HTTPS as a transport protocol
3. The DoH proxy extracts the DNS request from the request payload, add the client identification in the EDNS fields and forward the request to the local Guardian DNS engine
4. The Guardian DNS performs analysis, filtering, cache control and recurses the request
5. The home worker can access the application based on the DNS answer

By protecting their remote users at the first level of the digital interaction which is supported by the DNS service, a company’s infrastructure can protect its data and application usages and enforce security policies protecting its activity. EfficientIP, with its leading DNS security solution, can definitely help organizations in this challenge.