Educause Security Discussion mailing list archives
Re: DNS over HTTPS changes
From: "Pete, Andrew" <000000d06e28c017-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Wed, 25 Sep 2019 15:30:01 +0000
Hi Jake, This is something that I started digging into in the past week. REN-ISAC has a great document in regards to the changes and potential impact to operations. I’ve attached the document in case you haven’t seen it. The big takeaway for me are: 1. This feature could cause problems with the resolution of internal DNS names which would impact the ability to reach internal resources. 2. This feature introduces a number of security concerns in regards to protecting our environment. Those include: a. We leverage Cisco Umbrella in our environment as one layer of protection against risky applications, malware, data exfiltration, etc. This also gives us log information for DNS requests which can be used in threat hunting/forensics. DNS over HTTPS (and TLS) allow the possibility to circumvent this layer of protection and our security efforts. b. We have no control over the public DNS servers, how they are secured and the privacy of any information captured. Since we do not have a direct vendor relationship with the providers, we do not have a good way to managed them. From my point of view, the technical and security risks of allowing DNS over HTTPS and DNS over TLS outweigh the benefits it would provide to our users since it would effectively result in a lower level of privacy/security. Cisco has a good document in regards to locking down DNS traffic if you are using Umbrella: https://support.umbrella.com/hc/en-us/articles/230904088-Preventing-Circumvention-of-Cisco-Umbrella-with-Firewall-Rules. If you are not using Umbrella, a lot of the information in this document can be applied to other external DNS providers. I am also going to be working with our infrastructure team/desktop support folks to roll out group policies which will disable the feature on devices we have control over. Andy Andrew Pete Information Security Architect New England Institute of Technology One New England Tech Boulevard East Greenwich, RI 02818-1205 401-780-4460 (Direct) apete () neit edu<mailto:apete () neit edu> [NEIT_Full_Stack_H_White_BG_PNG1] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Barros, Jacob Sent: Wednesday, September 25, 2019 8:32 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] DNS over HTTPS changes This message originated outside of New England Institute of Technology. Use caution when opening attachments, clicking links or responding to requests for information. An email went out on the NETMAN list earlier this month about DNS over HTTPS with very little response and I was surprised at the lack of discussion. Would you indulge my curiosity and help create a baseline for meetings I have scheduled later this month? Specifically, for institutionally managed devices are you disabling DNS over HTTPS in your browsers? For non-managed devices, is there intent to block DNS over HTTPs or TLS and if so what would your reasons be for doing so? Has anyone published information for students on how this might impact them? I know Cisco has published workarounds if there is an issue with Umbrella/OpenDns. Are there other services that you're concerned about? Jake [https://lh6.googleusercontent.com/ne_lTqgFJdoXUoU7gASzv0xOtDuEXE2aaf5NZNvmQ2e_NgyV_DSK_fBjBsHc5NeluIdDut6CDq9B7cQn3WHBZgFO5U9IyPePBYnuLPQ27XRP9oq2Snrkz_l8X0iU-z242JWJVv4Z]<https://www.grace.edu/> Jacob Barros Associate Director of IT, Network and Operations | OIT E: barrosjk () grace edu<mailto:barrosjk () grace edu> | W: 574.372.5100 ext. 6178 [https://lh5.googleusercontent.com/7qgaEy3R8t0pg6-FqBft4irBB3Tn07-iqWUmhV6zOMpEbI5uO8cZ-QGJaLvBqImKUw5TiHuVJNKO7jpbZJvnqIDHN1iXBMJRLUHfWS2DWYy_oyi4x1cp3kP8s3fz-xsskqXr4Ram]<https://www.grace.edu/> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Attachment:
REN-ISAC_DoH_Advisory_20190920.pdf
Description: REN-ISAC_DoH_Advisory_20190920.pdf
Current thread:
- DNS over HTTPS changes Barros, Jacob (Sep 25)
- Re: DNS over HTTPS changes Pete, Andrew (Sep 25)
- Re: DNS over HTTPS changes Kevin Wilcox (Sep 25)
- Re: DNS over HTTPS changes LaPorte, David (Sep 25)
- Re: DNS over HTTPS changes Barros, Jacob (Sep 25)
- Re: DNS over HTTPS changes LaPorte, David (Sep 25)
- Re: DNS over HTTPS changes John McCabe (Sep 25)