sign in sign up

<<

BRKSEC-3500.Pdf

BRKSEC-3500.Pdf

DoT and DoH Innovations in DNS Security

Christian Clasen – Technical Marketing Engineer @xianclasen

BRKSEC-3500 Cisco Webex Teams

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 About me Literally who?

Professional

• Content Security TME

• Previously… • MSP Technical Lead • TAC engineer Personal • Sysadmin / Netadmin • Father of three, husband of one

• Musician, fisherman, beer drinker

• Raleigh, NC USA

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Agenda

• DNS Overview • Vulnerabilities and Abuses • DNSSEC / DNSCrypt • DNS over TLS (DoT) • DNS over HTTPS (DoH) • Detection and Control • Conclusion

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 DNS Overview © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public HOSTS table

• Started in 1974

• Maintained by the Network Information Center (NIC)

• Entries added manually (by phone)

• Required manual lookup

• Error prone

“…operational nightmare.” -Craig Partridge

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Domain Name System

• Created by Paul Mockapetris

• RFC 882/883 (1034/1035)

• Hierarchical

• Decentralized

• Preserved IP addressing

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 The first Top Level Domains (TLDs) RFC 920

General use (gTLD)

TLD TLD TLD TLD TLD

.COM .ORG .EDU .MIL .GOV

Country Code (ccTLD)

TLD TLD .ES .NL {…}

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 The first Top Level Domains (TLDs) RFC 920

General use (gTLD)

TLD TLD TLD TLD TLD

.COM .ORG .EDU .MIL .GOV

Country Code (ccTLD)

TLD TLD Now over 1,000 .ES .NL {…}

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Root

TLD TLD TLD TLD

.COM .ORG .EDU .NINJA

DOMAIN DOMAIN DOMAIN DOMAIN DOMAIN cisco.com openssl.org iana.org unc.edu ncsu.edu

SUBDOMAIN SUBDOMAIN SUBDOMAIN SUBDOMAIN SUBDOMAIN www.cisco.com www.iana.org data.iana.org tools.iana.org www.ncsu.edu

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Recursive Query Iterative Query

Root

Stub TLD resolver .COM

Recursive DOMAIN resolver cisco.com

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Recursive Query Iterative Query

Root www.cisco.com.

Stub TLD resolver .COM

Recursive DOMAIN resolver cisco.com

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Recursive Query Iterative Query

Root www.cisco.com. www.cisco.com. Stub TLD resolver .COM

Recursive DOMAIN resolver cisco.com

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Recursive Query Iterative Query

Root www.cisco.com. www.cisco.com. Stub www.cisco.com. TLD resolver .COM

Recursive DOMAIN resolver cisco.com

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Recursive Query Iterative Query

Root www.cisco.com. www.cisco.com. Stub www.cisco.com. TLD resolver www.cisco.com. .COM

Recursive DOMAIN resolver cisco.com

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Recursive Query Iterative Query

Root www.cisco.com. www.cisco.com. Stub www.cisco.com. TLD resolver www.cisco.com. .COM 173.37.145.84 Recursive DOMAIN resolver cisco.com

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 *RFC 7816 Recursive Query Iterative Query

Root www.cisco.com. com. Stub cisco.com. TLD resolver www.cisco.com. .COM 173.37.145.84

DOMAIN cisco.com QNAME minimalization https://labs.ripe.net/Members/wouter_de_vries/make-dns-a-bit-more-private-with-qname-minimisation

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 *RFC 7816 $ dig +short txt qnamemintest.internet.nl a.b.qnamemin-test.internet.nl. "HOORAY - QNAME minimisation is enabled on your resolver :)!"

Root www.cisco.com. com. Stub cisco.com. TLD resolver www.cisco.com. .COM 173.37.145.84

DOMAIN cisco.com QNAME minimalization https://labs.ripe.net/Members/wouter_de_vries/make-dns-a-bit-more-private-with-qname-minimisation

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 DNS the old way

Root ISP 1

TLD

.COM ISP 2

DOMAIN cisco.com ISP 3

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 The move to centralized DNS

Root

TLD

Public Resolver .COM

DOMAIN cisco.com

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Customer edge DNS forwarder Root

Stub TLD resolver Public Resolver .COM

DOMAIN Host Type Data ------cisco.com @ A 192.168.0.100 @ NS dc.local.lan @ SOA dc.local.lan srv1 A 192.168.0.101 Srv2 A 192.168.0.102

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Vulnerabilities and Abuses Classes of DNS attacks

Cache Poisoning Spoofing / Hijacking • Query ID guessing • Very easy to do • Mitigated in 2008 • Difficult to detect • Still possible but unlikely • ISPs regularly hijack DNS

Denial of Service Snooping • Amplification attacks • Plain-text queries and replies • UDP makes this possible • Privacy concern • Small query, big reply • ISPs regularly snoop DNS

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Last mile DNS attack ecosystem mybank.ninja Ad Public WiFi ISP Public Resolver

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Last mile DNS attack ecosystem mybank.ninja Ad Public WiFi ISP Public Resolver

Local spoofing

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Last mile DNS attack ecosystem mybank.ninja Ad Public WiFi ISP Public Resolver

Local spoofing Router DNS Hijack

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Last mile DNS attack ecosystem mybank.ninja Ad Public WiFi ISP Public Resolver

Local spoofing Router DNS Ad injection Hijack Data collection Censorship

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Last mile DNS attack ecosystem mybank.ninja Ad Public WiFi ISP Public Resolver

Local spoofing Router DNS Ad injection Cache Data Hijack Data collection Poisoning collection Censorship

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Last mile DNS attack ecosystem mybank.ninja Ad Public WiFi ISP Public Resolver

Privacy Integrity Authenticity

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 DNSSEC and DNSCrypt DNSSEC basics New record types for crypto operations: RRSIG: Crypto Signature DNSKEY: Public Key DS: Hash of Public Key NSEC/NSEC3: Denial-of-Existence CDNSKEY/CDS: Updates to parent zones

Root

TLD

Key Signing Key DOMAIN Zone Signing Key

RRset

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Early DNSSEC development IETF Meeting in Houston, TX 1993

• Data disclosure considered out of scope at the outset

• Backwards compatibility was an explicit requirement

• The DNS threat model was not specified in detail

• The resulting requirements were:

• Data Integrity

• Data origin authentication

• Root zone wasn’t signed until 2010

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Early DNSSEC development IETF Meeting in Houston, TX 1993

• Data disclosure considered out of scope at the outset Trivia: What web browser was released in • Backwards compatibility was an explicit requirement 1993 and was the first to show inline images with text? • The DNS threat model was not specified in detail

• The resulting requirements were:

• Data Integrity

• Data origin authentication

• Root zone wasn’t signed until 2010

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Early DNSSEC development IETF Meeting in Houston, TX 1993

• Data disclosure considered out of scope at the outset

• Backwards compatibility was an explicit requirement

• The DNS threat model was not specified in detail

• The resulting requirements were:

• Data Integrity

• Data origin authentication

• Root zone wasn’t signed until 2010

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 DNSSEC weaknesses

Complexity • Small config errors cause failure Hierarchical • PKI and crypto knowledge • Problems roll downhill • Key rotation (Oct 2018) • Central point of failure

Denial of Service Privacy and Enumeration • Responses are much larger • Doesn’t address snooping • Better for amplification • NSEC creates new vuln

Privacy Integrity Authenticity

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 DNSCrypt

• OpenDNS announced the first public resolver in 2011

• DNS requests/responses are unchanged

• Runs on UDP or TCP 443

• Pads packets to hide length

• Mitigates amplification attacks

Privacy Integrity Authenticity

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 DNSCrypt

• OpenDNS announced the first public resolver in 2011

• DNS requests/responses are unchanged

• Runs on UDP or TCP 443

• Pads packets to hide length

• Mitigates amplification attacks …?

Privacy Integrity Authenticity

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 DNSCrypt

• Not a proposed IETF standard

• Fragmented implementations

• Always a third-party application

• No native OS support

• Complexity of deployment

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 DNS over TLS (DoT) DNS over TLS (DoT) overview

TLS DNS DNS DNS

• Proposed IETF standard (RFC 7858) • Connection re-use is encouraged

• Defines a well-known port (TCP 853) • TCP Fast-Open and TLS session resumption are encouraged • Focuses on client-to-recursive server communication (stub resolvers)

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 DNS over TLS (DoT) overview

TLS DNS DNS DNS

• Proposed IETF standard (RFC 7858) • Connection re-use is encouraged

• Defines a well-known port (TCP 853) • TCP Fast-Open and TLS session resumption are encouraged • Focuses on client-to-recursive server communication (stub resolvers)

TLS Privacy Integrity Authenticity

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 The TLS handshake (v1.2)

ClientHello Client SNI: cisco.com Server

ServerHello Certificate

ClientKeyShare

Finished

Finished

DATA

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 The TLS handshake (v1.3)

Client ClientHello Server SNI: cisco.com

ServerHello

Finished

Finished

DATA

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Server Name Indication (SNI)

• Sent in plain-text in the ClientHello

• Used to hint which resource is being requested

• Optional in TLSv1.2 and below

• Required in TLSv1.3

• Encrypted SNI is an experimental IETF draft (draft-ietf-tls-esni-01)

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Two DoT privacy profiles

Opportunistic Out-of-Band Key-pinned

• Analogous to SMTP opportunistic • Requires TLS and does not fall back encryption • Requires OOB key management • Designed to aid in transition or for • Uses Simple Public Key Management roaming clients (SPKI) to pin the public key to the • Vulnerable to downgrade attack resolver

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 The middlebox problem

New reserved port means:

• Easy to detect / block

• Slower adoption

• Unpredictable on public networks

You want me to open what port?

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 Shimming DoT into the stack https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby https://www.knot-resolver.cz/

Browser

DoT client TCP 853 Public Resolver OS DNS

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 DoT OS adoption

Android Windows • Supported in Pie • No native support • Enabled by default • Stubby or Knot-resolver • Uses dns.google

Linux Mac OSX • Supported in system-resolved • No native support • Add the DNSOverTLS option • Stubby or Knot-resolver

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 DNS over HTTPS (DoH) DoH overview

TLS HTTP/2 DNS DNS

• Proposed IETF standard (RFC 8484) • HTTP/2 provides reordering, parallelism, priority, and header • Runs over HTTPS (TCP 443) compression for performance • Focuses on client-to-recursive server communication (stub resolvers)

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 DoH overview

TLS HTTP/2 DNS DNS

• Proposed IETF standard (RFC 8484) • HTTP/2 provides reordering, parallelism, priority, and header • Runs over HTTPS (TCP 443) compression for performance • Focuses on client-to-recursive server communication (stub resolvers)

TLS Privacy Integrity Authenticity

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 HTTP/2

• 2.2x Faster • Fewer Connections • Stream prioritization http/2 • Header compression

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public HTTP/1.1

Please send me index.html. http/1.1 Here’s index.html.

Please send me this image.

Here’s the image.

Please send me the favicon.

Here’s the favicon.

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 HTTP/2 server push

http/2 Please send me index.html.

Here’s index.html…

and here’s an image that’s embedded in it…

and here’s the favicon too.

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Query methods GET

• GET method encodes the query in Base64url • Better for caching

:method = GET :scheme = https :authority = dnsserver.example.net :path = /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB accept = application/dns-message

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Query methods POST

• POST method encodes the query in the message body • Content-Type header indicates that it is a DNS query • Use application/dns-json for JSON format

:method = POST :scheme = https :authority = dnsserver.example.net :path = /dns-query accept = application/dns-message content-type = application/dns-message content-length = 33

<33 bytes represented by the following hex encoding> 00 00 01 00 00 01 00 00 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 JSON Response

response: { "Status": 0, "TC": false, "RD": true, "RA": true, "AD": true, "CD": false, "Question": [{ "name": "example.com.", "type": 28 } ], "Answer": [{ "name": "example.com.", "type": 28, "TTL": 1005, "data": "2606:2800:220:1:248:1893:25c8:1946" } ] }

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Hijacking the OS DNS

• The browser might use the system DNS to get the IP of the DoH resolver • After that, system DNS is ignored during resolution

Browser TCP 443 Cloudflare cloudflare-dns.com

OS DNS

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 *https://wiki.mozilla.org/Trusted_Recursive_Resolver Firefox implementation

• Mozilla’s Trusted Recursive Resolver program • Requires that the provider agree to Mozilla’s “DOH-resolver-policy” • https://wiki.mozilla.org/Security/DOH-resolver-policy • Requires QNAME minimalization • Requires accurate NXDOMAIN responses • Requires the Client Subnet field be stripped or encrypted • Describes data retention and transparency rules

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 *https://wiki.mozilla.org/Trusted_Recursive_Resolver Firefox implementation

• network.trr.bootstrapAddress • Sets the initial resolver to use to find the DoH server IP address • Blank by default (uses system resolver)

• network.trr.uri • The address of the DoH server to be used • Default is https://mozilla.cloudflare-dns.com/dns-query if DoH is enabled

• network.trr.mode 0 - Off (default). use standard native resolving only (don't use TRR at all) 1 - Reserved (used to be Race mode) 2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback. 3 - Only. Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref) 4 - Reserved (used to be Shadow mode) 5 - Off by choice. This is the same as 0 but marks it as done by choice and not done by default.

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 *https://www.chromium.org/developers/dns-over-https Chrome implementation Auto-upgrade • Chrome has a local table which maps DoH servers to their non-DoH equivalent • Proposal for DNS resolvers • https://docs.google.com/document/d/128i2YTV2C7T6Gr3I-81zlQ-_Lprnsp24qzy_20Z1Psw/edit • The currently mapped providers: • Cleanbrowsing • Cloudflare • Comcast • DNS.SB • Google • OpenDNS • Quad9

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Chrome implementation

• Chrome announce a flag was coming in v78 (chrome://flags/#dns-over- https), then it was delayed to v79…. • May or may not be available on your installation • Can be enabled using a command-line flag:

--enable-features="DnsOverHttps

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 DoH challenges to business and privacy

Internal domains Bypasses system DNS • Currently no way to define them • Breaks logging • Breaks split-DNS • Breaks security controls

Centralizes DNS Difficult to block • Concentrates control of DNS • Can only be identified via to a handful of providers SNI or IP address (for now) • HTTP allows additional • Whack-a-mole for firewall tracking and fingerprinting administrators

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Detection and Control "DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH." Paul Vixie, 2018

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 DoH in malicious activity • Many C2 proofs-of-concepts are publicly available

• Godlua backdoor discovered using DoH for C2 in April 2019

https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 DoH in malicious activity • Many C2 proofs-of-concepts are publicly available

• Godlua backdoor discovered using DoH for C2 in April 2019

https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/

Or was it?

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Controlling DoT

• Block TCP 853 outbound (DoT) • Block the known IP addresses of the DoT servers • https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers#DNSPrivacyPublicResol vers-DNS-over-TLS(DoT) • Use desktop management to prevent 3rd party app installation • Use Umbrella and make sure it starts first?

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Controlling DoH Firefox Group policy

• The ADMX template for Firefox allows administrators to configure or disable DNS over HTTPS.

• They do not allow for granular configuration of the network.trr settings.

• Administrative Templates > Mozilla > Firefox > Configure DNS over HTTPS

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Controlling DoH Firefox canary domain

• Firefox will attempt to resolve the domain using the system resolver use-application-dns.net • NOERROR with a host record (A or AAAA) will result in DoH being enabled

• Configure in BIND:

• https://isc.sans.edu/forums/diary/Blocking+Firefox+D oH+with+Bind/25316/

• Configure in Windows:

Add-DnsServerQueryResolutionPolicy -Name "CanaryDomainPolicy" -Action DENY -FQDN "EQ, use-application-dns.net"

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Controlling DoH Firefox logging

• Configure Firefox to log all DNS queries (including DoH): • setx MOZ_LOG timestamp,rotate:200,nsHostResolver:4 • setx MOZ_LOG_FILE C:\Logs\%USERNAME%-Firefox-DNS-log.txt

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Controlling DoH

• Blacklist known DoH servers in your firewall by IP address • https://github.com/curl/curl/wiki/DNS-over- HTTPS#publicly-available-servers • Until they are hosted at the same IP as other services…

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Umbrella DNS blocks DoH resolvers https://support.umbrella.com/hc/en-us/articles/360001371526-Firefox-and-DNS-over-HTTPS-default

• Public DoH resolvers are categorized as Proxy/Anonymizers

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Talos blocking DoH resolvers

• Categorized as Filter Avoidance (for now…)

• Security products that consume Talos intelligence will use this category • Web Security Appliance, Firepower Threat Defense

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 Controlling DoH Web Security Appliance

1580314428.694 51 192.168.10.50 TCP_DENIED_SSL/403 0 POST https://mozilla.cloudflare-dns.com:443/dns-query "CHCLASEN\cisco@AD" NONE/- - BLOCK_WEBCAT_12-DefaultGroup- ISE_AD_Auth-NONE-NONE-NONE-NONE-NONE <"IW_filt",-3.0,-,"-",-,-,-,- ,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_filt",-,"-","Filter Avoidance","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"- ",-,-,"-","-",-,-,"-",-> - - 3692170 NEGOTIATE "CHCLASEN\LabUsers"

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 Conclusion DoH will probably win because…

• Combining DNS with content delivery simplifies the client behavior and architecture

• A single connection to a provider over TCP 443 makes interception and control more difficult

• HTTP/2 server push functionality could decrease DNS latency

• If we get encrypted SNI, practically all DNS security/privacy issues are solved

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 Takeaways

• Encrypted DNS is coming (probably in the form of DoH) • Understand the implications for your network • Use in combination with DNSSEC • Block and/or monitor where relevant • Be mindful of who your chosen resolvers are • If you think this transition is fun…just wait for encrypted SNI and QUIC!

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Migrate to DNS over…something else? https://developers.cloudflare.com/1.1.1.1/fun-stuff/dns-over-email/

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 IOS and Technology Learning maps

Wednesday BRKSEC-2011 Wednesday BRKSEC-2047 About Garlic and Onions : Dealing Behind the Perimeter: Fighting Thursday BRKSEC-3500 with Anonymizers and Introduction Advanced Attackers DoT and DoH: Innovations in into the Darknet DNS Security

Tuesday BRKSEC-2002 It's Cats vs Rats in the Attack Kill Chain!

Tuesday BRKSEC-2010 Talos Insights: The State of Cyber Security

Thursday BRKSEC-3054 Tuesday BRKSEC-2068 IOS FlexVPN Remote Access, The Future of Security Analytics IoT and Site-to-Site advanced Crypto VPN Designs Friday BRKSEC -3200 Advanced IPv6 Security Threats and Mitigation

Monday TECSEC 2355 Implementing SD-WAN Branch Friday BRKSEC-2036 Security with Cisco Router Only if I Could go Back in Time and Prevent a Security Apocalypse!

Friday BRKSEC-3005 Cryptographic Protocols and Algorithms - a review Monday TECSEC 2005 CyberSecurity – A Cat and Mouse Game !

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 Complete your online session • Please complete your session survey survey after each session. Your feedback is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt.

• All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com.

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Continue your education

Demos in the Walk-In Labs Cisco Showcase

Meet the Engineer Related sessions 1:1 meetings

BRKSEC-3500 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 Thank you