DNS Sniffing might soon be ineffective due to new traffic encryption
With over 46,000 new sites created every day, phishing continues to rise as one of the greatest threats currently facing mobile devices. Our phones are quickly becoming our most important means of communication and entertainment. Yet, as technology has become more advanced, so too has the smoothness and frequency of phishing attacks. Taking advantage of the multiple platforms available, phishing campaigns can take many different forms on mobile. Cyber criminals target users through email, SMS, social media and apps. With a fake login page, hackers easily fool users into revealing personal information including usernames, passwords and bank details.
In response to this rising threat, many cybersecurity solutions have developed anti-phishing software for mobile. One of the most common methods used is ‘DNS sniffing’, enabling them to detect and block access to phishing sites. However, this method is about to break. Following the announcement that companies like Google and Mozilla will be introducing DNS over HTTPS, a new method of domain name requesting that encrypts all data, what does this mean for anti-phishing solutions?
What is DNS and DNS ‘sniffing’?
DNS (Domain Name System) is the internet’s system for converting alphabetic domain names into the numeric IP addresses that computers use to identify each other on a network. Imagine that someone types a web address (URL) such as www.example.com into a browser. DNS servers return the IP address, such as 220.127.116.11, and allow the user to retrieve the website connected with it. This makes it easier for users to browse the internet without the need to remember long series of numbers.
Typically, DNS requests are made using TCP protocols meaning that they are sent in plain text. This enables the process of DNS ‘sniffing’ which allows bodies such as internet service providers (ISPs), security solution providers, and governments to capture, analyze and monitor the requests sent and the sites visited by users. This is used to analyze network usage, troubleshoot issues, and ensure compliance with content restrictions. However, it has caused some concern over the safety and privacy of user data. Due to the nature of plain text data and the ease with which DNS requests can be sniffed, data gathered from tracking DNS traffic can easily be abused or become dangerous in the wrong hands. This has led to the introduction of DNS over HTTPS.
What is DNS over HTTPS?
DNS over HTTPS (DoH) operates similarly to regular DNS. However, rather than using plain text, the DNS query is sent to a DoH-compatible server via an encrypted HTTPS connection. This way, the DNS queries are hidden inside regular HTTPS traffic. This means third-party observers will be unable to sniff traffic and monitor what DNS queries users have run. DoH also works at app level as mobile apps can come with internally hardcoded lists of DoH compatible DNS resolvers where they can send queries. This allows app requests to bypass the default DNS settings that exist at OS level and avoid local ISPs’ traffic filters and content blocks.
Due to this encryption and the reduction of restrictions, many have hailed DoH as beneficial for user privacy and security. Man-in-the-middle (MiTM) attacks often exploit the insecure nature of DNS via DNS Spoofing attacks, DNS Hijacking or DNS Poisoning. This allow hackers to redirect webpage requests and return spoofed sites that appear to be legitimate. However, by putting DNS in a HTTPS encrypted channel, eavesdropping on DNS queries and MiTM attacks becomes much more difficult.
Protests to the changes
However, not everyone is happy with the proposed changes. After it was announced that Google would be implementing changes to how its Chrome and Android browsers implement DNS requests to DoH and that Mozilla would be doing the same with Firefox, there was an outcry from many cyber security and internet service providers. The trade association for ISPs in the UK even nominated Mozilla for the award of ‘Internet Villain’ of the year following the announcement of their plans to support the DoH protocol in Firefox. The UK legally force ISPs to block certain types of websites such as copyright infringement or trademarked content. Others may choose to block other ‘sketchy’ or ‘unsavory’ content such as extremist views, adult images or child pornography. They argue that implementing DoH will cause major complications for their ability to filter traffic for these government mandated ‘bad sites’.
Internet security providers have also protested claiming that encrypting traffic will prevent them from sniffing for malicious websites. They argue that losing this ability will lead to reduced data security for customers, as attackers love to hide in encrypted traffic as seen in the recent Magecart attacks, and that it was an oversight like this that played a part in last year’s major British Ariways and Marriott data breaches.
Despite protests, it seems that DoH will go ahead with two of the world’s biggest and most popular web browsers; Google Chrome and Mozilla Firefox. Simialrly, in the most recent Android release (Android 9), Google extended DoH support to the world’s most popular mobile platform. Both companies acknowledge that content filtering and implementing blocks may become more complicated and perhaps more expensive. However, they support a tool that brings privacy improvements to millions at the expense of a few vendors.
What does this mean for users and anti-phishing protection?
So what does this mean for users? Most anti-phishing solutions currently rely on DNS sniffing to monitor user traffic and block access to suspicious or malicious sites. With the introduction of DoH and encryption, many anti-phishing solutions will become useless. If you have a security solution, ask your supplier about how they intend to address this issue. If you are looking into an anti-phishing solution, ask vendors about encrypted DNS traffic and how this will affect their mobile phishing protection.
Fortunately, Corrata has never relied solely on examining unencrypted DNS traffic to identify malicious activity. From its first release Corrata Security and Control implemented comprehensive inspection of all IP traffic. Corrata’s SafePathML technology provides the highest level of visibility and protection on mobile. Doing this required the Corrata engineering team to solve a wide range of technically challenging issues. This lead Corrata to create the first ever enterprise grade firewall for mobile. Corrata’s robust solution future proofs our customers against changes such as DNS over HTTPS. It is clear that the investment is now paying off in terms of comprehensive protection for end users.
To find out more about how Corrata’s advanced mobile security can protect your mobile devices from phishing and other mobile threats , visit corrata.com or email firstname.lastname@example.org.