Photo by saeed karimi on Unsplash
DNS name resolution with HTTPS
Confidential Game
Besides the common routing protocols, the Domain Name System (DNS) is one of the longest serving infrastructure protocols on the Internet. As the number of participants on the jointly developed Internet (initially ARPANET and later NSFNET) began to grow, the manual overhead involved in maintaining the hostname file (/etc/hosts) exploded. The first draft defined in RFC882 and RFC883 turns 40 next year.
Fortunately, traditional attacks such as DNS spoofing and cache poisoning are practically impossible today. DNS has seen several enhancements since its introduction, which retrospectively reflects a good design that is obviously extensible in many directions. The problem now is the unmanageable number of top-level domains, country domains in different languages that use different character sets, DNS over TCP for particularly large queries and responses, and many other major and minor extensions. Most resolvers now secure their queries to the authoritative name servers with DNS security extensions (DNSSEC) and other technologies to avoid receiving undesirable spoofed responses.
DNS also forms the basis for protecting many other application protocols today: The main examples are HTTP for issuing certificates for web access and SMTP for securing email communication with DMARC.
Privacy and Manipulation
Whereas DNS itself has become significantly more secure, the unencrypted route between clients and resolvers is left as an attack vector for hackers and snoopers. The data is routed by the User Datagram Protocol (UDP) without protection. One issue that has not yet been fully resolved is the privacy of DNS requests. Clients also need to be able to trust the resolvers to deliver correct responses – think protection against cache poisoning and censorship – and to keep client data confidential, or preferably not store the data at all.
DNS requests map users' web activity
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Domain name resolution with DNS over HTTPS
The new DNS over HTTPS standard from the Internet Engineering Task Force is meant to eliminate some of the known vulnerabilities of the Domain Name System. - Cloudflare Launches New DNS Service
-
Secure and seamless server access
The powerful Cloudflare Tunnel provides secure and seamless access to servers and applications, making it a convenient alternative to VPN for any modern IT infrastructure. -
Solving the security problems of encrypted DNS
DNS encryption offers WiFi users good protection in public spaces; however, in the enterprise, it prevents the evaluation and filtering of name resolution. -
Encrypting DNS traffic on Linux with DoT
Prevent attackers from spying on DNS communication or manipulating responses by encrypting your DNS traffic on Linux with the DNS-over-TLS standard and the help of systemd-resolved.