The European Union Agency for Cybersecurity (ENISA) analyzes the security advantages and disadvantages of using public DNS resolvers.
An essential part of the Internet is the Domain Name System (DNS) mechanism. All computers, Internet browsers and other applications use DNS resolvers to translate human-readable website names to machine-readable IP addresses of computers.
Traditionally, these DNS resolvers are provided by the telecommunications provider, as part of the Internet access connection. However, customers are increasingly turning away from private DNS resolvers and opting instead for large cloud-based public DNS resolvers.
What security issues are driving customers to public DNS resolvers?
Increased security and privacy are identified as key drivers for this shift to public DNS resolvers.
Public DNS resolvers generally support newer DNS protocols, which encrypt DNS queries, for example. Some public DNS resolvers also offer additional security and protection features such as blocking malicious domains.
On the contrary, traditional private DNS resolvers use older protocols and do not encrypt DNS queries, which translates into risks for the end user.
Blocking of content by private DNS resolvers and service interruptions by private DNS resolvers are other important reasons why consumers change the configuration. A website crash or crash can cause consumers to temporarily configure their computer to use a public DNS resolver.
Security scan result
ENISA evaluate the evolution of the DNS resolution market towards public DNS resolution and assesses the impact on cybersecurity.
Additional encryption is an example of those obvious security benefits that are driving consumer behavior change. On the other hand, security and privacy issues remain. For example, corporate network security controls do not always work when computers use public DNS resolution with encrypted DNS queries.
While encryption is an improvement in general, it’s important to point out that even with encrypted DNS resolution like DNS over HTTPS, computers are still sending a lot of unencrypted information over the network. This information can then be used to track the websites visited. An example of this would be website IP addresses or domain name in Transport Layer Security (TLS).
Other concerns also relate to dependencies, resilience and lack of diversification. Well-established and well-known DNS resolvers are few in number, and the most widely used resolvers dominate the market.
Implementation of the NIS directive
The purpose of this report is to help national authorities in EU Member States oversee this part of the DNS resolution market. DNS monitoring is required under Article 14 of the Network and Information Security Directive (NIS). ENISA supports the NIS Cooperation Group in developing technical cybersecurity guidelines and in analyzing the cybersecurity of new technologies, such as the report published on DNS resolution.
DNS4EU
The EU cybersecurity strategy, published at the end of 2020, also addresses the topic of public DNS resolution. DNS4EU is an initiative of the European Commission which aims to offer an alternative to the public DNS resolvers which currently dominate the market. The aim of DNS4EU is to implement the latest security and privacy standards and thus ensure a high level of security for customers and end users.
