Re: DNS over HTTPS changes

["Pete, Andrew" <000000d06e28c017-dmarc-request () LISTSERV EDUCAUSE EDU>]

Hi Jake,

This is something that I started digging into in the past week.  REN-ISAC has a great document in regards to the 
changes and potential impact to operations.  I’ve attached the document in case you haven’t seen it.  The big takeaway 
for me are:


1.      This feature could cause problems with the resolution of internal DNS names which would impact the ability to 
reach internal resources.

2.      This feature introduces a number of security concerns in regards to protecting our environment.  Those include:

a.      We leverage Cisco Umbrella in our environment as one layer of protection against risky applications, malware, 
data exfiltration, etc.  This also gives us log information for DNS requests which can be used in threat 
hunting/forensics.  DNS over HTTPS (and TLS) allow the possibility to circumvent this layer of protection and our 
security efforts.

b.      We have no control over the public DNS servers, how they are secured and the privacy of any information 
captured.  Since we do not have a direct vendor relationship with the providers, we do not have a good way to managed 
them.

From my point of view, the technical and security risks of allowing DNS over HTTPS and DNS over TLS outweigh the 
benefits it would provide to our users since it would effectively result in a lower level of privacy/security.  Cisco 
has a good document in regards to locking down DNS traffic if you are using Umbrella: 
https://support.umbrella.com/hc/en-us/articles/230904088-Preventing-Circumvention-of-Cisco-Umbrella-with-Firewall-Rules.
  If you are not using Umbrella, a lot of the information in this document can be applied to other external DNS 
providers.   I am also going to be working with our infrastructure team/desktop support folks to roll out group 
policies which will disable the feature on devices we have control over.

Andy


Andrew Pete
Information Security Architect

New England Institute of Technology
One New England Tech Boulevard
East Greenwich, RI 02818-1205
401-780-4460 (Direct)
apete () neit edu<mailto:apete () neit edu>

[NEIT_Full_Stack_H_White_BG_PNG1]




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Barros, Jacob
Sent: Wednesday, September 25, 2019 8:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] DNS over HTTPS changes


This message originated outside of New England Institute of Technology. Use caution when opening attachments, clicking 
links or responding to requests for information.
An email went out on the NETMAN list earlier this month about DNS over HTTPS with very little response and I was 
surprised at the lack of discussion.  Would you indulge my curiosity and help create a baseline for meetings I have 
scheduled later this month?

Specifically, for institutionally managed devices are you disabling DNS over HTTPS in your browsers?  For non-managed 
devices, is there intent to block DNS over HTTPs or TLS and if so what would your reasons be for doing so?

Has anyone published information for students on how this might impact them?  I know Cisco has published workarounds if 
there is an issue with Umbrella/OpenDns.  Are there other services that you're concerned about?

Jake


[https://lh6.googleusercontent.com/ne_lTqgFJdoXUoU7gASzv0xOtDuEXE2aaf5NZNvmQ2e_NgyV_DSK_fBjBsHc5NeluIdDut6CDq9B7cQn3WHBZgFO5U9IyPePBYnuLPQ27XRP9oq2Snrkz_l8X0iU-z242JWJVv4Z]<https://www.grace.edu/>

Jacob Barros

Associate Director of IT, Network and Operations | OIT

E: barrosjk () grace edu<mailto:barrosjk () grace edu> | W: 574.372.5100 ext. 6178

[https://lh5.googleusercontent.com/7qgaEy3R8t0pg6-FqBft4irBB3Tn07-iqWUmhV6zOMpEbI5uO8cZ-QGJaLvBqImKUw5TiHuVJNKO7jpbZJvnqIDHN1iXBMJRLUHfWS2DWYy_oyi4x1cp3kP8s3fz-xsskqXr4Ram]<https://www.grace.edu/>





**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: REN-ISAC_DoH_Advisory_20190920.pdf
Description: REN-ISAC_DoH_Advisory_20190920.pdf