Needing the DoH: The Ongoing Encryption and Centralization of DNS

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=KQDIje7Gw2w


Duration: 39:50
4 views
0

Eldridge Alexander | Duo Labs Manager, Duo Security (a Cisco company)
Date: Wednesday, August 5 | 2:30pm-3:10pm
Format: 40-Minute Briefings
Tracks: CorpSec, Network Security

Most connections on the Internet start with a DNS request. As the connections themselves increasingly have moved to encrypted methods (primarily HTTP to HTTPS), surveillance and data aggregation by service providers and nation states have transitioned from monitoring the contents of the connection itself to monitoring unencrypted headers and their DNS requests.

In an attempt to protect DNS queries from Monster in the Middle (MITM) interception and manipulation, DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) have emerged as new proposed standards. These have evoked some concerns as they represent major changes to both the end user and network operators.

These concerns fit into three broad categories: *Centralization* as users move to the few DNS providers that support DoT/DoH; *Visibility & Control* as network operators continue to use DNS as a way to provide services, security, and gather network data; *Moving to Layer 7* as some software decides to handle DNS internally rather than push it down the network stack.

I will demonstrate that while the concerns around centralization are well founded, they are in all likelihood temporary. The concerns around visibility and control are well founded but can be addressed without losing the guarantees of encryption or network administrator control and visibility. I will show that the concerns regarding the move into Layer 7 are the most significant for benign network operators, but also a substantial improvement for consumers on public and home networks and how these concerns can be balanced against each other.

I will also be open sourcing a tool which detects DoT/DoH support on DNS servers that are advertised in the DHCP leases and optionally uses the encrypted protocols on systems that do not natively support DoT/DoH. This is to encourage the encryption of DNS while also respecting the provided DNS servers.

Black Hat - USA - 2020 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-09I calc'd Calc - Exploiting Excel Online
2022-01-09Engineering Empathy: Adapting Software Engineering Principles and Process to Security
2022-01-09Multiple Bugs in Multi-Party Computation: Breaking Cryptocurrency's Strongest Wallets
2022-01-09Breaking VSM by Attacking SecureKernel
2022-01-09Escaping Virtualized Containers
2022-01-09Experimenting with Real Time Event Feeds
2022-01-09My Cloud is APT's Cloud Investigating and Defending Office 365
2022-01-09Building a Vulnerability Disclosure Program that Works for Election Vendors and Hackers
2022-01-09EtherOops: Exploring Practical Methods to Exploit Ethernet Packet-in-Packet Attacks
2022-01-09Exploiting Kernel Races through Taming Thread Interleaving
2022-01-09Needing the DoH: The Ongoing Encryption and Centralization of DNS
2022-01-09Building Cyber Security Strategies for Emerging Industries in Sub Saharan Africa
2022-01-09FASTCash and INJX Pure How Threat Actors Use Public Standards for Financial Fraud
2022-01-09CloudLeak: DNN Model Extractions from Commercial MLaaS Platforms
2022-01-09NoJITsu: Locking Down JavaScript Engines
2022-01-09Carrying our Insecurities with Us The Risks of Implanted Medical Devices in Secure Spaces
2022-01-09Finding New Bluetooth Low Energy Exploits via Reverse Engineering Multiple Vendors' Firmwares
2022-01-09Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities
2022-01-09Office Drama on macOS
2022-01-09Fooling Windows through Superfetch
2022-01-09A Decade After Stuxnet's Printer Vulnerability Printing is Still the Stairway to Heaven


Tags:
hacker
security
computer
cyber
internet
technology
hacking
attack
information
hack
password
code
web
thief
network
scam
fraud
malware
secure
identity
software
access
safety
theft
system
firewall
communication
business
privacy
binary
account
program
spyware
hacked
hacking conference
conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Eldridge Alexander
Network Security
DNS request
HTTPS
encrypted
DNS-over-TLS