How to secure your DNS traffic under Windows

DNS traffic is prone to snooping, and it’s often far too easy for attackers to hijack and change a company’s DNS settings. These simple steps will amp up your DNS protection.

browser security

Domain Name System (DNS) is such a foundational function in Windows it is too often taken for granted. Think about ways to protect your firm’s DNS traffic both in terms of how attackers can impact your custom domain settings as well as protecting your workstations and providing more privacy. 

For example, I recently wanted to change a DNS setting in a network that I was managing. Since I hadn’t logged into the hosting company’s DNS manager for a long time, I couldn’t remember the password, nor where to log in to manage the settings. The account was so old that the password was set by the hosting company.

Make it harder to fraudulently hijack DNS settings

This got me thinking about how easy it is to change DNS settings merely by logging into the hosting console. Hosting companies now require additional processes and procedures to confirm ownership of a domain, but DNS records have been changed merely with a phone call to a hosting company. DNS hijacking is not unusual nor unique.

If you use an external hosting company to provide custom domain names, review what processes they use to confirm who controls your domain. For example, vendors are adding multi-factor authentication (MFA) as a means of protection. If you use scripts or automation, ensure that the vendor APIs allow for protection of authentication keys and provide for restricted IP or conditional access only allowing specific addresses to make automated changes.

Use a secure workstation and workstation hygiene practices such as not logging into sites from a workstation that you use for day-to-day surfing and operations. Monitor the DNS traffic in your inbound and outbound logs and set up alerts for changes or unusual traffic patterns. Microsoft, through Azure services, provides the ability to set up DNS through its platform. Recently, Microsoft rolled out a private DNS services to allow for custom domain names rather than the Azure-provided names.

Protect DNS traffic from snooping

That’s not the only way that how you secure DNS impacts networks. When workstations make DNS queries, especially if you point your DNS settings to include external DNS providers, the queries go out in plaintext and thus can be tracked and analyzed. That’s why Microsoft recently announced it will move to DNS over HTTPS or encrypted DNS traffic.

This is not the same as DNS Security Extensions (DNSSEC), a security protocol that protects against attacks by digitally signing data to ensure its validity. To ensure a secure lookup, the signing must happen at every level in the DNS lookup process. DNSSEC has been around for many years and can be set up on server platforms as old as Server 2012, but Azure does not support DNSSEC.

DNS over HTTPS (DoH) is intended to protect your searches and traffic. It is a new technology that encrypts your DNS queries so that only the intended recipient can decrypt and read them. Firefox announced that its browser will turn this on by default and you can do so now in Google Chrome. Some have concerns over the technology because web browsers have to send their encrypted queries to a site to decrypt and then obtain an answer back from the server.

Most web browsers send queries to a special server operated by the user's internet service provider (ISP). However, most ISPs do not yet support DNS over HTTPS or their servers might be in a country where you don’t want the transmissions sent. Also, if all transmissions are sent through a third-party provider — for example, Google’s DNS providers or Cloudflare DNS — the provider might record all the DNS-over-HTTPS transmissions and monitor the traffic. Firefox has a contractual agreement with Cloudflare DNS that it will not obtain excessive information from your devices.

You can enable DNS over HTTPS in your Chrome browser by adding this line to the application properties:

“--enable-features="dns-over-https<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:server/https%3A%2F%2F1.1.1.1%2Fdns-query/method/POST “

This example sets the Cloudflare servers as the DNS-over-HTTPS provider, but you can use any DNS provider that supports it.

bradley dns 1 Susan Bradley

Enabling DNS or HTTPS in Firefox

Firefox makes it easier to set your browser to support DNS over HTTPS. Launch the Firefox menu, then choose “Options”, and then “Preferences”. In the “General” section, scroll down to the “Network Settings” panel and press the “Settings” button. In the window that pops up, scroll down and select "Enable DNS over HTTPS". Then configure your desired DoH resolver. Firefox by default uses Cloudflare resolver, or you can use one from the list.

bradley dns 2 Susan Bradley

Add DNS-over-HTTPS configuration to Chrome

Some say that DNS over TLS is better than DoH because DoH doesn’t do enough to encrypt data and only provides different ways to leak information to the ISP. Server Name Indicator ISNI), IP addresses, Online Certificate Status Protocol (OCSP) and remaining HTTP connections still leak enough potentially sensitive information to be dangerous. Some consider DNS over HTTPS fake privacy and not enough protection for Windows machines and the queries they do in DNS. However, DoH certainly is more protection than you have now.

Don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)