The U.S. National Security Agency said in a new guidance document that using a DNS over HTTPS -- or DoH -- protocol in an enterprise environment to encrypt the data between the DoH client and the DoH-based DNS resolver can help counter threat actors looking to eavesdrop and manipulate DNS data, according to The Hacker News.
Use of the protocol provides “privacy, integrity, and 'last mile' source authentication with a client's DNS resolver,” according to the guidance. The agency advises that this added layer of cybersecurity is best implemented using a designated enterprise DNS resolver. NSA also warned against falling into a false sense of security by using DoH, because it is not designed to encrypt traffic other than the DNS transaction between the client and resolver, and does not prevent the DNS provider from viewing the lookup requests and the IP address of the client making them. In addition, the presence of malicious servers upstream that resolvers could communicate with opens up the possibility of DNS cache poisoning.