WFH is driving a DoH explosion – what’s the impact?

BY Ben Ball

The rapid, unplanned shift to working from home is uncovering a new world of challenges for network and security teams.  As new usage patterns emerge, everyone is looking to reduce their attack surface and optimize their network for maximum performance.

Here at BlueCat, we’re constantly looking at the patterns of DNS traffic which flow through our systems, advising our customers on trends in security and usage which impact their operational bottom line.  For example, our recent study of over five billion DNS queries uncovered a wide range of interesting insights.

What we’re seeing:  changing patterns of DoH usage

One area we’ve been closely tracking is the use of DNS over HTTPS (DoH) – a method of encrypting queries which prevents visibility into DNS traffic patterns. 

Over the last week, we’ve seen a massive increase in the use of DoH across our customer base.  In the course of a single weekend, the number of endpoints attempting to use DoH went from an average of 90 to about 1400.  That’s a 1500% increase in the use of DoH.

Around 45% of these queries are from Firefox (which now activates DoH by default).  Aside from that, we’re seeing queries to eleven different DoH services from all kinds of applications. DoH usage is fairly uniform across our customer base as well – this isn’t one company or industry vertical, this is a broad trend. 

While we haven’t seen any clear indications that any of these queries are from DoH enabled malware, that is an emerging threat that we are tracking.

The DoH debate rages on

There’s a lot of debate around the tradeoffs of DoH.  How you perceive it tends to be a function of your role.  Many end users value its ability to prevent tracking and logging, citing privacy concerns.  On the flip side, administrators rely on visibility into network traffic to secure the enterprise and optimize performance. 

If you’re using a centralized DNS management platform like BlueCat, it’s easy to block DoH by adding the domains to a response policy zone (RPZ).  The longer-term challenge is adding any new DoH services that appear in the future to that block list.  That's why we've made it easy to block DoH using a specially created threat feed option.  

If you’d like to learn more about how DoH works and the impact on your network, you’re in luck.  We’ve put together some great resources on the topic.

The webinar “DNS over HTTPS and Beyond” with BlueCat CSO Andrew Wertkin and Farsight CEO Paul Vixie offers some insight about the future of DoH, as well as some concrete tips and tricks on what you can do to maintain visibility and control.

Our follow-up webinar with Wertkin and Vixie goes into the Mozart malware challenge and how it plays into DoH.

Just looking for an overview of DoH and the debate around it? Our DoH overview blog has you covered.

You may also be wondering about the difference between DoH, DNSSEC and the changes instituted as part of DNS Flag Day.  Our panel of DNS experts did a webinar on that as well.

Ben Ball

Ben Ball is the Director of Strategy and Content Marketing at BlueCat. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball