Software Engineering Institute

DNS-layer security is often used by incident response teams to enforce policy and gain visibility. Privacy enhancing protocols, such as DNS-over-HTTPS (DoH) and DNS-over-QUIC (DoQ), encrypt DNS requests and responses, increasing the user’s privacy at the expense of traditional security functions. In this presentation, we examine the prevalence and impact of encrypted DNS in a modern enterprise environment, which is particularly important given the role encrypted DNS plays in other privacy enhancing protocols such as Encrypted Client Hello (ECH) and Multiplexed Application Substrate over QUIC Encryption (MASQUE). With this analysis, we show that while a few major encrypted DNS providers dominate, there exists a long tail of less popular encrypted DNS servers with several new servers coming online weekly. Our dataset includes network and endpoint information from enterprises and malware sandboxes. The presentation highlights how unsanctioned DoH and DoQ can evade traditional DNS policy enforcement. Furthermore, we examine the set of client processes, including malware, that use these evasion techniques. Finally, we present a methodology and open-source tools to identify encrypted DNS servers given passively collected network data, Internet-wide scan data, and targeted scans.

In this talk, the audience will learn about the mechanics of encrypted DNS, the visibility challenges introduced by encrypted DNS, the effectiveness of DNS-layer security, and leveraging a big data system to systematically identify and track encrypted DNS servers using multiple data sources.

Blake Anderson currently works as a Senior Technical Leader in Cisco’s Cloud and Network Security Group. Since starting at Cisco in early 2015, he has participated in and led projects aimed at encrypted network traffic analysis, which has resulted in open source projects, academic publications, and patents. He and his collaborators published the initial research that eventually became Cisco’s Encrypted Traffic Analytics (ETA) solution. Before Cisco, Blake received his PhD in machine learning/security from the University of New Mexico and worked at Los Alamos National Laboratory as a staff scientist.