⚔️DNS Roadblock | Fighting the Dark Side of the Force on Fusion's Last Mile SD-WAN Edge using DOH🤺

Ronald BartelsRonald Bartels
4 min read

In the ever-evolving landscape of cybersecurity, businesses need to adopt innovative solutions to stay ahead of the curve. One such solution is DNS over HTTPS (DoH), which not only enhances privacy but also provides a robust layer of security. Services which provide DNS filtering exemplify how DoH can be harnessed to protect businesses from various online threats, making it an essential additional component of a modern firewall strategy. The strategy can mitigate and reduce threats by up to 88%.

What is DoH?

DNS over HTTPS (DoH) is a protocol that encrypts DNS queries, enhancing privacy and security by preventing eavesdropping and manipulation of DNS traffic. By encrypting these queries, DoH ensures that malicious actors cannot intercept or alter DNS requests, which is a common tactic used in cyber attacks.

Cloud based DoH Services | A Modern Firewall for the Internet

Solutions such as NextDNS are a prime example of a cloud-based DoH service that provides comprehensive security features for businesses. There are others but we'll focus on how it works:

  1. Protection Against Security Threats: The service blocks access to malicious domains, protecting your network from malware, phishing attacks, and cryptojacking.

  2. Ad and Tracker Blocking: It eliminates ads and trackers from websites and apps, enhancing user experience and reducing the risk of privacy breaches.

  3. Safe and Supervised Internet: Businesses can ensure a safe online environment across all devices and networks, providing controlled and secure access to the Internet.

Key Features of DNS Filtering Services

Real-Time Threat Intelligence

DNS Filtering Services utilizes trusted threat intelligence feeds, encompassing millions of malicious domains that are updated in real-time. This dynamic approach ensures that your network is always protected against the latest threats. Unlike traditional security solutions that may lag in updating threat databases, many services use real-time updates to catch malicious domains as soon as they emerge.

On-the-Fly DNS Analysis

DNS filtering services analyzes DNS queries and responses in real-time, detecting and blocking malicious behavior within nanoseconds. This rapid response capability is crucial in mitigating threats that exploit newly registered domains, which can become active within hours of registration.

Fine-Tuned Security Strategy

DNS filtering services allows businesses to customize their security settings with over 10 different types of protections, tailored to specific needs. This flexibility enables a more nuanced and effective defense strategy, addressing unique threat landscapes and business requirements.

Benefits of Using DoH

Enhanced Privacy

By encrypting DNS traffic, DoH ensures that sensitive information remains confidential, shielding it from prying eyes. This is particularly important for businesses handling sensitive data, as it prevents potential breaches and data leaks.

Improved Security

DoH significantly enhances security by thwarting DNS-based attacks, such as DNS spoofing and cache poisoning. Combined with a service's real-time threat intelligence and rapid DNS analysis, businesses can achieve a higher level of protection against sophisticated cyber threats.

Simplified Implementation

Implementing DoH with services is straightforward and cost-effective. Businesses can quickly configure their networks to use DoH, providing immediate benefits without the need for extensive hardware or software investments.

Wrap

Incorporating DNS over HTTPS into your business's cybersecurity strategy is a powerful way to enhance both privacy and security. Services like NextDNS transform DoH into a modern firewall solution, offering comprehensive protection against a wide array of online threats. With real-time threat intelligence, on-the-fly DNS analysis, and customizable security settings, DNS filtering services provides a robust, flexible, and easy-to-implement security solution for the modern business.

Adopting DoH is not just about staying secure; it's about staying ahead. By leveraging this cutting-edge technology, businesses can ensure a safer, more resilient digital environment, protecting their assets and their reputation in an increasingly perilous cyber landscape.

Nuts & Bolts

DNS Roadblock is implemented using a combination of a (DNS over HTTPS) DoH resolver and DNSgate:

https://hubandspoke.amastelek.com/dnsgate-script-to-block-access-to-doh-so-that-a-business-is-able-to-implement-content-filtering

DNS Roadbloack is implemented using a DNS name resolution proxy which can be downloaded from this link and has the following features:

  • Support for DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC and DNSCrypt

  • Create logs of all requests

  • Specify interfaces and ports on which to proxy normal DNS requests

  • Provide a downstream resolver instance for DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC and DNSCrypt

  • Specify a bootstrap resolver

  • Specify one or multiple upstream resolvers

  • Specify one or multiple failback resolvers

  • Specify a cache (on the Fusion Edge we default to using the DNSMASQ cache)

  • Specify various rate limit and EDNS

  • Implement EDNS

The dnsproxy downloaded above is installed into /usr/bin

The following systemd unit file is created in /etc/systemd/system/dnsproxy.service

[Unit] 
Description=DNS Proxy 
After=network.target 
Requires=network.target

[Service] 
Type=simple 
ExecStart=/usr/bin/dnsproxy -l 127.0.0.1 -p 5354 -u https://max.rethinkdns.com/1:SPo6xBCACAAgAAAIAAQAQACA -f 9.9.9.9 -b 9.9.9.10:53 
Restart=on-failure

[Install] WantedBy=multi-user.target

In the above example we use a DOH url from RethinkDNS but any of the ones for the following can be used, which includes NextDNS used in the overview:

https://hubandspoke.amastelek.com/doh-urls

The Fusion Edge uses DNSMASQ to provision DHCP and DNS service on the edge and the following custom configuration can be applied

cache-size=4096 
min-cache-ttl=900 
no-resolv 
server=127.0.0.1#5354

The Fusion Edge can now use a DOH resolver and protect a site cloud services such as those available from various DNS providers including NextDNS.

Here is a great generic overview of DNS:

https://youtu.be/49PhEUZVjzQ?si=8ld9DVZw7IgsSOHO

Ronald Bartels ensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa - the leading specialized SD-WAN provider in South Africa.

https://hubandspoke.amastelek.com/discover-fusion
0
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

dnsdns resolverDNS over httpsSDWANSoftware Defined Wide Area Networking#SouthAfricaAustralia

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa