[HN Gopher] NSA Recommends How Enterprises Can Securely Adopt En...
___________________________________________________________________
NSA Recommends How Enterprises Can Securely Adopt Encrypted DNS
Author : theBashShell
Score : 65 points
Date : 2021-01-16 19:52 UTC (3 hours ago)
(HTM) web link (www.nsa.gov)
(TXT) w3m dump (www.nsa.gov)
| nimbius wrote:
| >NSA recommends that an enterprise network's DNS traffic,
| encrypted or not, be sent only to the designated enterprise DNS
| resolver.
|
| its either a slow day at the NSA or federal agencies have become
| so intellectually bankrupted by the cloud that they consider
| proclamations of the fundamentals of DNS and networking to be
| some sort of sage wisdom.
| blondin wrote:
| unless i am reading this wrong, they are not saying don't send
| your requests to Cloudfare, Apple, etc. i am not entirely privy
| to all this, but aren't they entreprise grade DNS resolvers?
| Spooky23 wrote:
| They are high quality services, not controlled by the
| company.
|
| It's pretty obvious that allowing unloggable DNS traffic in
| an enterprise is a bad idea. It makes ex filtration trivial.
| salawat wrote:
| Exfiltration already is trivial DNS or not. Just admit that
| you want to be able to eavesdrop on all activity
| whatsoever.
|
| What, you think that anyone looking to get something out
| undetected isn't using raw IP's?
| Spooky23 wrote:
| On my network? Absolutely, ability to inspect packets is
| absolutely essential. On a public network? Different
| story.
|
| I've personally been engaged in incident response and in
| many scenarios DNS is a control mechanism for malware, or
| uses it for various purposes. It's often a key piece of
| evidence for reconstruction of an incident.
|
| Raw IPs can be used as well, but that doesn't negate my
| point.
| 0xquad wrote:
| >Raw IPs can be used as well, but that doesn't negate my
| point.
|
| And in fact if you have enterprise-wide visibility on DNS
| requests, you have the opportunity to detect the use of
| an IP that was not returned in a request. Making it
| immediately suspect.
| freeone3000 wrote:
| Somebody has to recommend the basic stuff, otherwise it's just
| rumor. This is a topical addition to a list of DNS
| recommendations.
| rasengan wrote:
| Specifically, they are saying that in a home/personal
| environment, it makes sense to use DoH with a public resolver
| like cloudflare, but in enterprise, you will not be able to
| maintain tight control over internal use as browsers role out
| with DoH by default unless you block those public resolvers and
| enforce policy to use the enterprise resolver. It doesn't
| matter unless you care about these tight controls though even
| in enterprise.
| StreamBright wrote:
| It is going to be super hard to block DoH since it is
| indistinguishable from normal HTTPS traffic. If you MITM the
| HTTPS connection the browser can detect that and refuse to
| use the connection. Many companies are in this situation that
| MITMing HTTPS is not working very well. I think Google
| enforces HSTS[1]. Not sure how that works with DOH. I also
| think that we need browsers that do not have any other means
| of DNS resolution than the good old operating system wide
| /etc/resolv.conf (or similar). I am not going to fight with
| Google if I have the right to have my own DNS server or not.
| They are taking the open internet inch by inch. This is the
| last drop.
|
| 1.
| https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
| rasengan wrote:
| That's a good point -- I wasn't really thinking about the
| practicability since it's not something I had much interest
| in. That said, I guess either blackholing the DNS so it
| can't initially be resolved, or even figuring out any and
| all IP addresses it resolves to and blackholing those IPs
| would be a start.
|
| I agree, however, that it should be possible to run your
| own _______. That's what the internet was meant to be.
| XorNot wrote:
| At an enterprise level the browser configuration is
| controlled by the IT department. Your MITM CA certificate
| is going to be forced into the trusted list everywhere.
| 0xquad wrote:
| They are responding to the very recent emergence of
| applications (like Firefox) that (optionally) use their own
| encrypted DNS, thus bypassing the enterprise's ability to apply
| security policy based on DNS. (Visibility on DNS is also useful
| to help detect some malware.) I'll allow it.
| TedDoesntTalk wrote:
| Now you can point to that and say "We use the best DNS
| practices as recommended by the NSA."
| belorn wrote:
| I read that to mean: Do not allow doh to tunnel all your dns
| traffic out to cloudflare regardless of the promise of
| encryption. Send it only to the designated enterprise DNS
| resolver, ie the one under control by the enterprise.
|
| All other DNS resolvers should be disabled and blocked, ie all
| those public dns resolvers.
| salawat wrote:
| In other words "MitM everything".
|
| It gets so tiresome. I used to think the people who called
| out tyranny everywhere were just nuts, but it never ceases to
| amaze that everything nowadays keeps going "centralize and
| control".
| wmf wrote:
| Sending your DNS queries to a resolver that you control is
| hardly MITM. In this case "you" is a company.
| userbinator wrote:
| ...and in the case of people using DNS-based adblocking
| and such, "you" is... yourself.
| StreamBright wrote:
| What he means is that NSA and related has the ability to
| MITM HTTPS while another actors do not, probably.
| VWWHFSfQ wrote:
| No you're misunderstanding what the recommendation is. If a
| company runs their own DoH or even regular DNS or AD
| resolvers, then the company's client computers (the laptops
| their employees take home) should not be querying any old
| resolver hard-coded in their web browser (Firefox,
| CloudFlare) for internal company domain addresses. That's
| literally all this is saying. It's good corporate IT policy
| anyway and it's only being reiterated with DoH.
| grayfaced wrote:
| In light of SolarWinds hack, I think it's fair to say that
| DoH is a real threat. Putting that volume of machines under
| the control of a single "trusted" network provider is very
| bad idea.
| jorblumesea wrote:
| Security recommendations aren't supposed to be brilliant
| insights. They're just best practices.
| 737min wrote:
| Exactly right. Many security problems are due to forgoing the
| simple things in favor of exotic.
___________________________________________________________________
(page generated 2021-01-16 23:00 UTC)