The NSA warns enterprises to beware of third-party DNS resolvers
Found on Ars Technica on Saturday, 16 January 2021
On Thursday, however, the National Security Agency said in some cases Fortune 500 companies, large government agencies, and other enterprise users are better off not using it. The reason: the same encryption that thwarts malicious third parties can hamper engineers’ efforts to secure their networks.
“DoH provides the benefit of encrypted DNS transactions, but it can also bring issues to enterprises, including a false sense of security, bypassing of DNS monitoring and protections, concerns for internal network configurations and information, and exploitation of upstream DNS traffic,” NSA officials wrote in published recommendations.
Network admins have brought up these problems over and over, and have been laughed at and ridiculed. Glad to see others see the big problems of DoH too and hopefully DoT takes the lead.