⚔️DNS Roadblock: Fighting the Dark Side of the Force on Fusion's Last Mile SD-WAN Edge using DOH🤺

⚔️DNS Roadblock: Fighting the Dark Side of the Force on Fusion's Last Mile SD-WAN Edge using DOH🤺

Strengthening Business Security through DNS over HTTPS (DoH)

·

4 min read

In the ever-evolving landscape of cybersecurity, businesses need to adopt innovative solutions to stay ahead of the curve. One such solution is DNS over HTTPS (DoH), which not only enhances privacy but also provides a robust layer of security. Services like NextDNS exemplify how DoH can be harnessed to protect businesses from various online threats, making it an essential component of a modern firewall strategy.

What is DoH?

DNS over HTTPS (DoH) is a protocol that encrypts DNS queries, enhancing privacy and security by preventing eavesdropping and manipulation of DNS traffic. By encrypting these queries, DoH ensures that malicious actors cannot intercept or alter DNS requests, which is a common tactic used in cyber attacks.

Cloud based DoH Services: A Modern Firewall for the Internet

NextDNS is a prime example of a cloud-based DoH service that provides comprehensive security features for businesses. There are others but we'll focus on how it works:

  1. Protection Against Security Threats: NextDNS blocks access to malicious domains, protecting your network from malware, phishing attacks, and cryptojacking.

  2. Ad and Tracker Blocking: It eliminates ads and trackers from websites and apps, enhancing user experience and reducing the risk of privacy breaches.

  3. Safe and Supervised Internet: Businesses can ensure a safe online environment across all devices and networks, providing controlled and secure access to the Internet.

Key Features of NextDNS

Real-Time Threat Intelligence

NextDNS utilizes trusted threat intelligence feeds, encompassing millions of malicious domains that are updated in real-time. This dynamic approach ensures that your network is always protected against the latest threats. Unlike traditional security solutions that may lag in updating threat databases, NextDNS's real-time updates catch malicious domains as soon as they emerge.

On-the-Fly DNS Analysis

NextDNS analyzes DNS queries and responses in real-time, detecting and blocking malicious behavior within nanoseconds. This rapid response capability is crucial in mitigating threats that exploit newly registered domains, which can become active within hours of registration.

Fine-Tuned Security Strategy

NextDNS allows businesses to customize their security settings with over 10 different types of protections, tailored to specific needs. This flexibility enables a more nuanced and effective defense strategy, addressing unique threat landscapes and business requirements.

Benefits of Using DoH with NextDNS

Enhanced Privacy

By encrypting DNS traffic, DoH ensures that sensitive information remains confidential, shielding it from prying eyes. This is particularly important for businesses handling sensitive data, as it prevents potential breaches and data leaks.

Improved Security

DoH significantly enhances security by thwarting DNS-based attacks, such as DNS spoofing and cache poisoning. Combined with NextDNS's real-time threat intelligence and rapid DNS analysis, businesses can achieve a higher level of protection against sophisticated cyber threats.

Simplified Implementation

Implementing DoH with services like NextDNS is straightforward and cost-effective. Businesses can quickly configure their networks to use NextDNS, providing immediate benefits without the need for extensive hardware or software investments.

Wrap

Incorporating DNS over HTTPS into your business's cybersecurity strategy is a powerful way to enhance both privacy and security. Services like NextDNS transform DoH into a modern firewall solution, offering comprehensive protection against a wide array of online threats. With real-time threat intelligence, on-the-fly DNS analysis, and customizable security settings, NextDNS provides a robust, flexible, and easy-to-implement security solution for the modern business.

Adopting DoH with NextDNS is not just about staying secure; it's about staying ahead. By leveraging this cutting-edge technology, businesses can ensure a safer, more resilient digital environment, protecting their assets and their reputation in an increasingly perilous cyber landscape.

Nuts & Bolts

DNS Roadblock is implemented using a combination of a (DNS over HTTPS) DoH resolver and DNSgate:

DNS Roadbloack is implemented using a DNS name resolution proxy which can be downloaded from this link and has the following features:

  • Support for DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC and DNSCrypt

  • Create logs of all requests

  • Specify interfaces and ports on which to proxy normal DNS requests

  • Provide a downstream resolver instance for DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC and DNSCrypt

  • Specify a bootstrap resolver

  • Specify one or multiple upstream resolvers

  • Specify one or multiple failback resolvers

  • Specify a cache (on the Fusion Edge we default to using the DNSMASQ cache)

  • Specify various rate limit and EDNS

  • Implement EDNS

The dnsproxy downloaded above is installed into /usr/bin

The following systemd unit file is created in /etc/systemd/system/dnsproxy.service

[Unit] 
Description=DNS Proxy 
After=network.target 
Requires=network.target

[Service] 
Type=simple 
ExecStart=/usr/bin/dnsproxy -l 127.0.0.1 -p 5354 -u https://max.rethinkdns.com/1:SPo6xBCACAAgAAAIAAQAQACA -f 9.9.9.9 -b 9.9.9.10:53 
Restart=on-failure

[Install] WantedBy=multi-user.target

In the above example we use a DOH url from RethinkDNS but any of the ones for the following can be used, which includes NextDNS used in the overview:

The Fusion Edge uses DNSMASQ to provision DHCP and DNS service on the edge and the following custom configuration can be applied

cache-size=4096 
min-cache-ttl=900 
no-resolv 
server=127.0.0.1#5354

The Fusion Edge can now use a DOH resolver and protect a site cloud services such as those available from various DNS providers including NextDNS.

Here is a great generic overview of DNS:

Ronald Bartels ensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa - the leading specialized SD-WAN provider in South Africa.