Experts Highlight Risks Associated with Switching to DoH

According to specialists from the National Cyber Security Centre of the Netherlands (NCSC), as modern secure DNS protocols become more popular, monitoring DNS traffic is becoming increasingly difficult. This opinion was outlined in a fact sheet published last week. The document is intended for network administrators and technical directors considering the adoption of “DNS over TLS” (DoT) and “DNS over HTTPS” (DoH) protocols.

DoT and DoH allow domain name resolution to occur over a secure HTTPS connection instead of using standard DNS queries in plain text. However, NCSC experts believe that widespread use of encrypted DNS transport protocols complicates DNS traffic monitoring for cybersecurity professionals.

While DoT and DoH do protect against interception of DNS queries, they can also “render existing organizational security measures ineffective, potentially exposing internal domains and causing connectivity issues.” This happens because software may use third-party DNS resolvers instead of system-level DNS resolvers. These “side effects” can only be addressed at the DNS infrastructure and individual device level, not at the network level, the experts warn.

“NCSC recommends that organizations select preferred DNS resolvers, configure them under administrator control, and pay attention to the benefits of modern DNS transport protocols,” the fact sheet states.