FloCon 2022 has ended
Back To Schedule
Tuesday, January 11 • 11:30am - 12:00pm
Quantifying the Impact of Encrypted DNS for Network Defenders

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
DNS-layer security is often used by incident response teams to enforce policy and gain visibility. Privacy enhancing protocols, such as DNS-over-HTTPS (DoH) and DNS-over-QUIC (DoQ), encrypt DNS requests and responses, increasing the user’s privacy at the expense of traditional security functions. In this presentation, we examine the prevalence and impact of encrypted DNS in a modern enterprise environment, which is particularly important given the role encrypted DNS plays in other privacy enhancing protocols such as Encrypted Client Hello (ECH) and Multiplexed Application Substrate over QUIC Encryption (MASQUE). With this analysis, we show that while a few major encrypted DNS providers dominate, there exists a long tail of less popular encrypted DNS servers with several new servers coming online weekly. Our dataset includes network and endpoint information from enterprises and malware sandboxes. The presentation highlights how unsanctioned DoH and DoQ can evade traditional DNS policy enforcement. Furthermore, we examine the set of client processes, including malware, that use these evasion techniques. Finally, we present a methodology and open-source tools to identify encrypted DNS servers given passively collected network data, Internet-wide scan data, and targeted scans.

Attendees Will Learn:
In this talk, the audience will learn about the mechanics of encrypted DNS, the visibility challenges introduced by encrypted DNS, the effectiveness of DNS-layer security, and leveraging a big data system to systematically identify and track encrypted DNS servers using multiple data sources.

avatar for Blake Anderson

Blake Anderson

Senior Technical Leader, Cisco
Blake Anderson currently works as a Senior Technical Leader in Cisco’s Cloud and Network Security Group. Since starting at Cisco in early 2015, he has participated in and led projects aimed at encrypted network traffic analysis, which has resulted in open source projects, academic... Read More →

Tuesday January 11, 2022 11:30am - 12:00pm EST