Now, the United State's National Security Agency (NSA) has recommended DNS over HTTPS (DoH) that is configured appropriately in enterprise environments, could help to prevent initial access, and exfiltration techniques used by threat actors.
It encrypts DNS requests using HTTPS to provide both privacy and integrity, with 'last mile' source authentication for client's DNS resolver.
Why DNS-over-HTTPS protocol is recommended for Enterprise environments?
If someone visits a website that uses HTTPS, the DNS query and response is sent over an unencrypted connection, which could allow any third-party to eavesdrop on the network to track the websites a user visits. Also, man-in-the-middle (MiTM) attacks can simply be carried out by changing the DNS responses to redirect unsuspecting visitors to malicious sites.
While using HTTPS to encrypt the data from the DoH client and the DoH-based DNS resolver, it increases user privacy and security by preventing both eavesdropping and MiTM attacks by the manipulation of DNS data.
The NSA recommends that the gateway used to forward query to external authoritative DNS servers in any event that the enterprise DNS resolver doesn't have the DNS response cached, should be able to block DoH, DNS, and DNS over TLS (DoT) requests to external DNS servers and resolvers that are not from the enterprise.
Experts caution on the DNS-over-HTTPS protocol
There is the DoH fear that if it is widely deployed, bypassing enterprise filters by employees to access blocked content, as traffic to certain malware domains are blocked within the enterprises, will become easy.
Thus, IT administrators will need to keep an eye on the DNS settings across the various operating systems to prevent DNS hijack attacks, with hundreds of apps running their own unique DoH settings, this will be a herculean task for the administrators.