What Is DoH And Why Do Your Clients Need It?

It’s easier than you might think to arm your clients with the NSA’s DNS over HTTPS (DoH) protection while maintaining critical visibility and filtering controls.

  • October 19, 2021 | Author: Khali Henderson
Learn More about this topic

Article Key

In the security world, DNS over HTTPS (DoH) is a relatively new kid on the block, but it’s gaining traction fast on the heels of an endorsement by the U.S. National Security Agency (NSA). DoH advisory services and DoH-compliant solutions should be in the arsenal of services your managed services provider (MSP) business offers small and medium-sized business (SMB) clients—especially when working with them to establish comprehensive cyber resilience.

What is DoH?
In simple terms, DoH is an extension to the Domain Name System (DNS) protocol that allows for encrypted communication between a client and a server to provide privacy and security when browsing the web.
How Does DoH Work?
When your client—or any of us, for that matter—enters a URL into a browser window, the URL is converted into an IP address for simplified routing. This IP address passes through various parties to deliver the desired website. 
According to TechRadar, the DNS process is the equivalent of looking up a telephone number (website) in a phonebook (the DNS system). That helps with relatability, but a more apt comparison for use with your clients might be to visualize sitting at the end of a full diner counter with the phonebook attached to a payphone at the other end. To get a phone number, you would pass that request through all the other diners and then receive the phone number back through that chain. In other words, you must expose your request to multiple parties and hope they are honest brokers and the number you get back is correct.
Since any party along the DNS chain can see the exchange and manipulate it, opportunities exist for bad actors to modify the URL requests and serve up malicious destinations. DoH encrypts those requests and deliveries, making it much harder for bad actors to hijack the process. 
What are the Challenges with DoH?
DoH is controversial in some quarters because it also can obscure web destinations from IT and network managers. This limitation can be overcome by smart deployments (e.g., centralized DNS resolution at the enterprise layer instead of the user application layer) and using DoH-compliant technology solutions.  
Why Does the NSA Recommend DoH?
The NSA issued guidance strongly endorsing encrypted DNS as both a privacy and security measure. In its advisory, the NSA noted the benefits and risks of DoH and laid out a framework for DoH implementation that delivers encrypted DNS benefits while supporting critical visibility and control abilities within an organization. 
How Can You Engage SMB Customers in Conversations about DoH?
Privacy is a significant concern among your SMB clients. That makes it a good entry point for conversations about DoH and why it’s recommended by the NSA. Once you’ve opened the door to that discussion, you can further talk about the potential for bad actors to hijack their traffic for malicious purposes and frame the conversation within the context of developing cyber resilience. 
All in, your aim should be a solution for your clients that allows them to maintain DNS control while gaining DoH security. Configuring a central DNS resolver that can process DNS resolution for the entire network delivers this balance. And in the case of remote users, fielding DNS requests through DNS resolvers under your or your client’s control allows you to deliver the same protection in the modern work-from-anywhere environment. 
SMBs can benefit from your guidance and assistance with DoH, helping them achieve the same DoH protection of larger enterprises. In fact, the ability to help clients successfully manage DoH can be a strong differentiator for your MSP. It’s easier to achieve than many realize and can bolster your reputation with clients and prospects.

Related Content