OpenText is finalizing an addition to its Webroot DNS Protection solution that will stop potentially dangerous DNS requests from “leaking” outside the system’s control.
Called DNS Leak Prevention, the patent pending technology will be included at no extra cost in the next Webroot DNS Protection update, which is tentatively set to arrive in the third quarter of the year. OpenText is discussing the new feature publicly for the first time this week at the RSA Conference in San Francisco.
“It’s not vaporware,” said Jonathan Barnett, a senior product manager at OpenText, in a conversation with ChannelPro today. “It’s really, really close.”
Introduced in 1983, DNS is one of the most crucial components of the underlying infrastructure that makes the internet work, responsible for translating domain names into the IP addresses that the Internet Protocol uses to route information.
“It’s really kind of fundamental to everything we do,” Barnett says.
Its inventors, however, never anticipated the ways that sophisticated threat actors might someday exploit DNS’s vulnerabilities. “It’s 39,” Barnett observes. “It’s due for a midlife crisis.”
Today, attackers often capitalize on weaknesses in DNS to exfiltrate data and send instructions to malware. “There’s a recent Log4j exploit that actually used DNS as a method of phoning home from a command and control perspective,” Barnett notes.
DNS filtering products like Webroot DNS Protection guard against such risks. Indeed, layering DNS filtering on top of endpoint protection reduces malware encounters by 36.1%, according to recent OpenText research.
Enforcing DNS filtering has grown difficult, however, in part because entirely legitimate applications increasingly use DNS over HTTPS (DoH) and DNS over TLS (DoT) to prevent attackers from viewing or tampering with DNS requests by encrypting them. Webroot DNS Protection itself has been utilizing DoH to safeguard requests for the last two years.
Other applications that encrypt DNS requests, however, including legitimate ones like the Firefox browser, which has been enabling DoH by default upon installation since early 2020, often route DoH traffic to providers outside the control of DNS filtering solutions, leaving businesses blind to some of what’s happening on their endpoints.
“We’re losing the ability to inspect DNS requests,” Barnett says.
Concerned both by the potential abuses of DNS and by the issues associated with encrypted DNS, the NSA now advises organizations to deploy DNS filtering software and then block DoH requests that employ any other route to resolution.
“While DoH can help protect the privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networks unless they allow only their chosen DoH resolver to be used,” said the agency in a document posted last January.
According to Barnett, following that advice is easier said than done. “Even larger enterprises are going to be really challenged by that,” he says. “It’s not an easy thing.”
OpenText’s forthcoming technology is designed to simplify DNS leak prevention by shutting down the routes that DNS requests use to evade DNS filtering services: port 53, the standard port for DNS; port 853, the standard port for DoT; and DoH-related traffic on port 443, the standard port for HTTPS.
“One solution that you know on that system is now the exclusive source of DNS going forwards,” Barnett says.
DNS Leak Prevention will be disabled by default when it ships later this year, but switching it on will be a point-and-click process. “It’s just a matter of checking a policy and you can apply it to every single one of your systems,” Barnett explains.
Users will be free to unblock DoH or DoT if they wish for all servers or specific, exceptional cases.
According to Barnett, who declined to provide details, easy to use functionality that mitigates other DNS filtering challenges “in a checkbox way” will be coming to Webroot DNS Protection in the next year.
“There are some really cool things on the roadmap,” he says.
