The National Security Agency (NSA) has issued a guidance on the implementation, benefits and disadvantages of using a form of encrypted Domain Name System to fortify user privacy and authentication procedures.
NSA said in the guidance that DNS over Hypertext Transfer Protocol over Transport Layer Security (DoH) can help prevent DNS traffic breaches and system manipulation resulting from unauthorized access.
DoH uses external “resolvers” to support security functions for remote networks that don't have DNS security controls. The cybersecurity technique can also be used by enterprise networks through an externally hosted service or enterprise-based DNS server, the guidance states.
However, DoH can also result in issues such as breaches in upstream DNS traffic, configuration vulnerabilities in internal networks and a “false sense of security”, according to the notice.
NSA’s recommendations include blocking out all other unauthorized DoH resolvers, utilizing a virtual private network, leveraging DNS logs and validating Domain Name System Security Extensions.
