What is DNS over TLS (RFC-7858)?
There is a new security mechanism coming to DNS which is called DNS over TLS the current DNS infrastructure uses UDP traffic that is sent in clear text which means it can be read by anyone who is sniffing traffic Also for some it provides that extra privacyThe current DNS implementations use UDP port 53 to accept connections from clients. The traditional DNS setup has no encryption and also does not have any spoofing protection as UDP inherently has no security mechanism and does not check against source traffic.With DNS over TLS, the client and the server will establish a secure channel over TCP port 853 there will be a handshake between the client and the server which will protect the traffic using TLS.If you are not familiar with TLS or (Transport Layer Security) it is a technology that provides encryption it is commonly used in websites and VPN’s.Software vendors on the host and server side will need to enable support for these types of servers as there will most likely be a mix of traditional and secure DNS servers for a while before it completely becomes a norm I mean HTTPS has been around for ages but we still see HTTP sites around so the transition will be slow.For security admins, you will need to consider the ramifications of encrypting DNS traffic as we cant see the hostnames being resolved content filtering and others like it will need to adapt.With cloud blowing up we cant even block a certain IP as many websites and content are using shared resources such as AWS or AZURE blocking an IP can potentially block 10’s or 100’s of websites.You can read the full RFC for DNS over TLS article. As of recent DNS over TLS support is being pushed in the latest versions of Android OS.Please check out my blog @ www.seanmancini.com
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!