⚔️DNS Roadblock | Fighting the Dark Side of the Force on Fusion's Last Mile SD-WAN Edge using DOH🤺
Strengthening Business Security through DNS over HTTPS (DoH)
In the ever-evolving landscape of cybersecurity, businesses need to adopt innovative solutions to stay ahead of the curve. One such solution is DNS over HTTPS (DoH), which not only enhances privacy but also provides a robust layer of security. Services which provide DNS filtering exemplify how DoH can be harnessed to protect businesses from various online threats, making it an essential additional component of a modern firewall strategy. The strategy can mitigate and reduce threats by up to 88%.
What is DoH?
DNS over HTTPS (DoH) is a protocol that encrypts DNS queries, enhancing privacy and security by preventing eavesdropping and manipulation of DNS traffic. By encrypting these queries, DoH ensures that malicious actors cannot intercept or alter DNS requests, which is a common tactic used in cyber attacks.
Cloud based DoH Services | A Modern Firewall for the Internet
Solutions such as NextDNS are a prime example of a cloud-based DoH service that provides comprehensive security features for businesses. There are others but we'll focus on how it works:
Protection Against Security Threats: The service blocks access to malicious domains, protecting your network from malware, phishing attacks, and cryptojacking.
Ad and Tracker Blocking: It eliminates ads and trackers from websites and apps, enhancing user experience and reducing the risk of privacy breaches.
Safe and Supervised Internet: Businesses can ensure a safe online environment across all devices and networks, providing controlled and secure access to the Internet.
Key Features of DNS Filtering Services
Real-Time Threat Intelligence
DNS Filtering Services utilizes trusted threat intelligence feeds, encompassing millions of malicious domains that are updated in real-time. This dynamic approach ensures that your network is always protected against the latest threats. Unlike traditional security solutions that may lag in updating threat databases, many services use real-time updates to catch malicious domains as soon as they emerge.
On-the-Fly DNS Analysis
DNS filtering services analyzes DNS queries and responses in real-time, detecting and blocking malicious behavior within nanoseconds. This rapid response capability is crucial in mitigating threats that exploit newly registered domains, which can become active within hours of registration.
Fine-Tuned Security Strategy
DNS filtering services allows businesses to customize their security settings with over 10 different types of protections, tailored to specific needs. This flexibility enables a more nuanced and effective defense strategy, addressing unique threat landscapes and business requirements.
Benefits of Using DoH
Enhanced Privacy
By encrypting DNS traffic, DoH ensures that sensitive information remains confidential, shielding it from prying eyes. This is particularly important for businesses handling sensitive data, as it prevents potential breaches and data leaks.
Improved Security
DoH significantly enhances security by thwarting DNS-based attacks, such as DNS spoofing and cache poisoning. Combined with a service's real-time threat intelligence and rapid DNS analysis, businesses can achieve a higher level of protection against sophisticated cyber threats.
Simplified Implementation
Implementing DoH with services is straightforward and cost-effective. Businesses can quickly configure their networks to use DoH, providing immediate benefits without the need for extensive hardware or software investments.
Wrap
Incorporating DNS over HTTPS into your business's cybersecurity strategy is a powerful way to enhance both privacy and security. Services like NextDNS transform DoH into a modern firewall solution, offering comprehensive protection against a wide array of online threats. With real-time threat intelligence, on-the-fly DNS analysis, and customizable security settings, DNS filtering services provides a robust, flexible, and easy-to-implement security solution for the modern business.
Adopting DoH is not just about staying secure; it's about staying ahead. By leveraging this cutting-edge technology, businesses can ensure a safer, more resilient digital environment, protecting their assets and their reputation in an increasingly perilous cyber landscape.
Nuts & Bolts
DNS Roadblock is implemented using a combination of a (DNS over HTTPS) DoH resolver and DNSgate:
DNS Roadbloack is implemented using a DNS name resolution proxy which can be downloaded from this link and has the following features:
Support for DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC and DNSCrypt
Create logs of all requests
Specify interfaces and ports on which to proxy normal DNS requests
Provide a downstream resolver instance for DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC and DNSCrypt
Specify a bootstrap resolver
Specify one or multiple upstream resolvers
Specify one or multiple failback resolvers
Specify a cache (on the Fusion Edge we default to using the DNSMASQ cache)
Specify various rate limit and EDNS
Implement EDNS
The dnsproxy downloaded above is installed into /usr/bin
The following systemd unit file is created in /etc/systemd/system/dnsproxy.service
[Unit]
Description=DNS Proxy
After=network.target
Requires=network.target
[Service]
Type=simple
ExecStart=/usr/bin/dnsproxy -l 127.0.0.1 -p 5354 -u https://max.rethinkdns.com/1:SPo6xBCACAAgAAAIAAQAQACA -f 9.9.9.9 -b 9.9.9.10:53
Restart=on-failure
[Install] WantedBy=multi-user.target
In the above example we use a DOH url from RethinkDNS but any of the ones for the following can be used, which includes NextDNS used in the overview:
The Fusion Edge uses DNSMASQ to provision DHCP and DNS service on the edge and the following custom configuration can be applied
cache-size=4096
min-cache-ttl=900
no-resolv
server=127.0.0.1#5354
The Fusion Edge can now use a DOH resolver and protect a site cloud services such as those available from various DNS providers including NextDNS.
Here is a great generic overview of DNS:
Ronald Bartels ensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa - the leading specialized SD-WAN provider in South Africa.