In December 2011, Cisco Umbrella – then going by the name OpenDNS – became the first public DNS resolver to announce support for DNS encryption. Now, a decade later, we’re proud to announce that we’ve added support for DNS over HTTPS (DoH) directly to our core Umbrella resolvers. In addition, we’ve also added support for Discovery of Designated Resolvers (DDR). These moves allow us to provide our customers with the low-latency and high availability DNS service they expect while also enhancing their security and privacy.
In this blog, we unpack what this latest DNS over HTTPS update means for Cisco Umbrella customers and discuss how they can configure DoH in their network. For more information on the DNS security offered by Cisco Umbrella, register for our on-demand demo of Cisco Umbrella today!
Our History With DNS Encryption
More than a decade ago, we became the first public resolver to announce support for DNSCrypt: a made-for-DNS solution to securing one of the most fundamental parts of internet communication. To this day, Cisco Umbrella continues to be at the forefront of DNS encryption, using DNSCrypt in the default configurations of our endpoint clients and DNS forwarders.
While we still believe that DNSCrypt has a critical place in our infrastructure, the lack of an Internet Engineering Task Force (IETF) standard for DNSCrypt has prevented widespread adoption. Recently, developments in encrypted DNS have focused on two different encryption protocols: DNS over HTTPS (DoH) and DNS over TLS (DoT).
Using DNS over HTTPS (DoH) With Cisco Umbrella
Unlike DNSCrypt, DoH is an IETF standard for performing DNS queries over a secure, encrypted channel. While it serves a similar purpose to our long-time friend DNSCrypt, its status as an IETF standard makes DNS over HTTPS more common amongst major browsers and operating systems.
Cisco Umbrella first announced support for DoH in May 2020. At that time, we wanted to support our users looking to take advantage of browser-based DNS initiatives. To keep our ability to adapt quickly, we launched DNS over HTTPS support using a set of dedicated resolvers (‘doh.umbrella.com’ and ‘doh.opendns.com’) with their own anycast IPs (22.214.171.124 and 126.96.36.199).
Since that release, the popularity of DoH has picked up steam. Apple added support in September 2020, and Microsoft recently announced that upcoming versions of Windows will support this form of DNS encryption. We’ve seen the result of this popularity on the Cisco Umbrella network, which has prompted our team to add support for DNS over HTTPS directly to Umbrella core resolvers.
Enabling DoH on Cisco Umbrella
Because we support DNS over HTTPS with our core resolvers, Cisco Umbrella customers will continue to experience the low-latency and high availability DNS service for which Umbrella is known. In addition, users can now configure DoH for Cisco Umbrella and OpenDNS on our well-known anycast addresses:
Additionally, we’ve moved the dedicated DNS over HTTPS hostnames and IPs onto the same core resolvers. This means they will provide the same service as our well-known IPs. And since we’ll continue to support those hostnames and IPs into the future, our existing users need not make any changes.
Using DNS over TLS (DoT) With Cisco Umbrella
While adding support for DNS over HTTPS directly to our core resolvers enabled our users to take advantage of DNS encryption better, it also provides an additional benefit. We can now handle TLS connections and support DNS over TLS natively in the core resolvers. We’re thrilled to announce that, as of January 28, 2022, support for DoT is live on all Umbrella resolvers globally.
Like DoH, DoT is an IETF standard for performing DNS queries over a secure, encrypted channel. Unlike DoH, however, DoT uses a dedicated port (TCP/853) for its connections. Clients that support DoT will check if their DNS server supports DoT. If it doesn’t, clients will fall back to regular unencrypted DNS (sometimes called Do53). Thus, configuration for DoT is typically just a matter of enabling it in a supported client.
Discovery of Designated Resolvers (DDR)
With all of these new methods for DNS encryption, clients need an automated means to discover what encryption methods their chosen DNS resolver supports. Tasked with this goal, the Adaptive DNS Discovery (ADD) working group at the IETF has proposed a standard called Discovery of Designated Resolvers (DDR).
The basics of DDR are simple. When a DNS client first finds out its DNS server, it will send a DNS query for a special use domain name, ‘_dns.resolver.arpa’, using a special DNS query type (type 64, or ‘SVCB’). The DNS server will respond with the different types of encryption it supports, and any configuration information the client needs. The client can pick the kind of encryption it prefers, verify that all the information is secure, and then start encrypting DNS.
Cisco Umbrella is very proud to be the first public resolver to announce support for DDR. We developed it in close collaboration with Microsoft to ensure that encrypted resolver selection works smoothly end to end. We look forward to DDR support being added to more clients and operating systems in the future.
Our DNS over HTTPS and DNS over TLS services are now discoverable via DDR, and any supported client can start using it now.
Enhance Your DNS Security Today
Just as with our decade of support for DNSCrypt, Cisco Umbrella views encryption of DNS queries in transit as a core component of DNS security, along with the use of DNSSEC for securing the data in the queries itself. We’ve been pleased to see the industry and client begin to add direct support for DNS encryption, and we can’t wait to see standards like DoH, DoT, and DDR take off and become more widely adopted.
If you want to learn more about the DNS security that Cisco Umbrella provides, view our on-demand demo today!