Shrink the DNS attack surface with Auth-DoH

Imagine you could keep your building location private by making employees invisible as they traveled from home to office. (My inspiration: Loki, the Marvel superhero.) Nobody can see the employee’s destination. There’s a hitch, though. Before opening the door, you’ll need to make sure the person is authorized to enter—not some random person who discovered the address and wants to sneak in. You’ll need a gatekeeper.

In this analogy, the invisibility superpower is DNS over HTTPS (DoH). It’s a new protocol that encrypts the DNS request to keep bad actors from discovering or altering domain names or snooping on users’ internet destinations. We’re fans: in fact, Cisco Umbrella has supported Encrypted DNS since 2011. Read more about DoH in this blog by my colleague Nancy Cam-Winget.

But unlike enterprise cloud services, which authenticate users before letting them in, DoH doesn’t have a gatekeeper. There’s no mechanism to resolve DNS queries only for authorized users and refuse queries from everyone else. To remedy that, we’ve come up with a concept we call Auth-DoH. In this blog I’ll explain the need and how we see it working.

The goal: low-risk way to advertise private servers using public DNS

Today, employees often (or always) work outside the office, which means they need a convenient way to access VPN and zero-trust-network (ZTN) services. (The difference: with VPNs, most enterprise traffic goes through a single tunnel. With ZTN services like Duo Network Gateway, in contrast, each private enterprise service is exposed separately.)

Putting security concerns aside, public DNS servers are appealing because employees can use any device, anywhere, without special software. They just type the server name into the browser or VPN client —say, vpn.companyname.com—and then the OS resolver connects them to the sign-in page. The problem? Advertising private services on public DNS sites increases the attack surface. Granted, bad actors can’t log in without credentials, but even knowing that the site exists gives them a foot in the door. For evidence, look no further than VPN exploits in the last year. Only your employees need to know about your VPN service, so why advertise it to the world?

Auth-DoH restricts the attack surface

We came up with Auth-DoH as a safer way to publicly advertise private services. It’s an outgrowth of new mechanisms like DoH and Discovery of Designated Resolvers (DDR) and our ongoing work on Encrypted DNS.

Here’s our vision. To use Auth-DoH you’ll need a public-facing Auth-DoH server—either enterprise-managed or provided as a service. Then you’ll configure the OS Resolver on employees’ laptops and mobile devices to direct DNS queries to your Auth-DoH server. Only authorized employees will be able to query the system to discover your enterprise services. You can use the same Auth-DoH server for public-facing and internal services, whether they’re hosted on your VPN, ZTN, or a public cloud.

Picture it. Say Loki, an IT engineer working from home, types your company’s VPN or ZTN URL into the browser. The query is directed to the Auth-DoH server, which checks whether the endpoint is authorized. If so, the query is resolved and the sign-in page appears. If not, Loki sees an error message. No foot in the door.

Bottom line

Auth-DoH makes it safer to publicly expose private enterprise services externally while preventing unauthorized queries and DNS scanning. Limiting the visibility of enterprise services reduces the attack surface.

What’s next

If you participate in internet standards bodies like the IETF, we invite you to join discussions on the evolution of DNS. We continue to work with our partners in this area and hope that Auth-DoH will be available in the not too distant future.

I welcome your questions and comments.


Vinny Parla

Principal Architect

Office of the Security CTO