Dutch NCSC Fact Sheet on The Future of DNS Monitoring

Eden · October 8, 2019, 10:03pm

I just thought his was an interesting short fact sheet from the Netherlands NCSC on the fact that secure DNS is happening and is pretty much the future and the impact that will have on DNS monitoring (more specifically from an enterprise consideration)

New DNS transport protocols make it harder to monitor or modify DNS requests. This is beneficial on today’s untrusted networks. At the same time the shift may render your organisation’s security controls ineffective, expose internal naming or break connectivity. These negative side effects are hard to mitigate at a network level and require mitigation at DNS infrastructure and individual devices.

The NCSC recommends organisations to decide on preferred (DNS) resolvers, configure these on devices under administrative control and take note of the benefits provided by modern DNS transport protocols.

mutation666 · October 9, 2019, 9:51pm

Block all DNS traffic leaving your network and force them to use yours? (for the enterprise side of things) Not that a person could get around this but you can get around just about anything.

2FA · October 9, 2019, 9:59pm

At least with DNS-over-HTTPS, it’s hard to do that without MITM’ing all your traffic. You otherwise need to strictly control client DNS settings on clients which is easier for devices that never leave the building and very difficult for personal devices that are BYOD.

mutation666 · October 9, 2019, 10:00pm

(correct hence the not that you can get around this)