Lead Image ©bowie15, 123RF.com

New Approaches to DNS

Next Generation

The venerable domain name system (DNS) has been serving up names on the Internet since the 1980s. In fact, it is safe to say the Internet wouldn't function without DNS; unfortunately, the old-school DNS protocol is showing its age. One perfect illustration of the problem is the British National Cyber Security Centre warning [1] about hacker attacks by the Russian APT28 group. DNS is directly involved in these attacks because APT28 has built a wide network of DNS servers that are used to redirect traffic to fake domains.

These malicious websites and email services are collecting all kinds of worthy artifacts: logins, passwords, OAuth tokens, browser history, and more. The front line of attack are routers – most of them old models with outdated firmware. After a successful attack, the DNS servers in the routers are changed to the malicious DNS by APT28. Then, all devices connected to the router and using the default DNS from the ISP will become a target. This attack clearly demonstrates the importance of DNS security.

Classic DNS has worked well for decades and has been tested under load many times. However, some architectural problems are difficult to solve for old projects like DNS. The most notable problem is the lack of encryption. DNS queries are performed in plain text, so they can be intercepted and modified easily by a man-in-the-middle attack.

In this article, I go on a tour through some recent protocols that have evolved around the need to address the security issues associated with DNS. You'll learn about:

• DNS over HTTPS
• DNS over TLS
• DNS over QUIC
• DNS over HTTP/3

Although modern DNS services like DNS over QUIC and DNS over HTTP/3 were developed relatively recently, they have already gained popularity and support in operating systems. The TLS 1.3 cryptographic protocol inside the QUIC transport layer eliminates the need for