Zscaler Cloud Platform

Stopping DNS-over-HTTPS (DOH) Abuse

Stop DOH Abuse

Domain Name Systems (DNS) makes using the internet a whole lot easier – and more human. While I’d love to memorize Google’s IP address – 142.251.116.138 (and that’s optimized for my location) – typing in “google.com” is my preferred method for accessing the website. Now that I’ve demonstrated my love for words over numbers, why are we talking about DNS-anything when it seems to be working? Well, unfortunately, more DNS queries are using Port 443, the standard for HTTPS traffic, making it difficult to monitor and control.

The rise of encryption

Encrypting internet traffic has become a gold standard to ensure privacy and data security. Here at Zscaler, we’ve observed that nearly 90% of pages loaded in Google Chrome were encrypted and a startling 98% of port 443 (and port 80) are exposed to the internet. 

While it may seem like a good idea on the surface, accepting only HTTPS communication has its pitfalls. Unless you’re inspecting all SSL/TLS traffic, threat actors can easily take advantage of the implicit trust to hide and deliver malicious payloads.

DNS-over-HTTPs (DOH) gains popularity

Sometimes affectionately pronounced Do’H (yes, like how Homer Simpson would say it) or D-O-H, DNS-over-HTTPs emerged as an alternative to plaintext DNS queries. By performing DNS resolution using the HTTPS protocol, the idea is that users would have increased privacy for their requests and prevent internet service providers (ISPs) from tracking their activities. And, with DOH, users or browsers can choose which DNS server to send their encrypted requests to. Over time, popular browsers and operating systems have adopted DOH as a standard request. 

DNS-over-HTTPs (DOH) is abused by adversaries

While the intentions for DOH were in good faith, it has fallen short of its promise and actually weakens security measures. Since decrypting and inspecting traffic is compute-intensive, it becomes difficult to discern the encrypted DNS requests and responses, leading users to known malicious domains without blocking or redirecting them. 

Aside from visibility issues, DOH can bypass security measures set by your administrators. Local and private DNS servers struggle to support DOH queries today, enabling adversaries to hijack and obfuscate legitimate requests and use DNS to encrypt command and control (C2) communication.

Taking back control with DNS

DNS is critical to connecting users and devices to web and non-web applications. This means that taking back control is about both security and performance. Zscaler Firewall ensures all DNS requests and responses – regardless of type and resolver – are secure, preventing threats over DoH and stopping C2 communication. Plus, geo-delivered DNS resolution will boost performance. 

Ready to learn more and watch a demo on how to set up DNS Control policies? Watch our on-demand webinar, Stop DNS Abuse! Take Control with Superior Security, today.

Get the latest Zscaler blog updates in your inbox

Subscription confirmed. More of the latest from Zscaler, coming your way soon!

By submitting the form, you are agreeing to our privacy policy.