Can DNS over HTTPS settings be fixed to provide support for authentication via client certificates?

ScottS · March 3, 2020, 7:09pm

Was told to try posting this here… Originally posted it over all Firefox community support…

DoH is a big initiative for Mozilla right now and soon will be enabled by default in the US in the near future. While a great tool, I believe the companies can benefit as well. Most users have laptops. Laptops leave the confines of the office regularly. Why not have laptops configured so that they point to a companies DNS infrastructure when not in the office? The benefit would be that any filtering/monitoring being done via DNS no longer is limited to when devices are on the company network!

This would require companies exposing DNS to the internet which is considered a bad idea. DNS will expose internal secrets and let the bad guys probe the architecture of the network for information they can use later. Adding authentication to the DoH solution would allow companies to leverage their internal certificate infrastructure and already deployed client certificates to protect that DNS information.

TLS mutual auth via client certificates is part of the SSL/TLS protocol already in use by DoH and there is nothing in the RFC to prevent this from being a possibility.

Is this something that can be added to the roadmap (or is it already on the roadmap)?

Thanks!

cs.lev · March 23, 2023, 6:42am

Hi there, I accidentally bumped into your message…I know it’s a bit late.
However, you touch upon a very interesting aspect of encrypted DNS, mTLS, and companies thinking of exposing their DNS server to the public.

We have been thinking of this situation but in regards to the recent Zero Trust realm. At least the idea came first from the Zero Trust paradigm and how DNS infrastructure is not prepared for that.

We actually implemented, on top of NGINX load-balancer, an mTLS endpoint (either through DoT or DoH) for DNS servers without the need to actually touch your DNS servers. They can remain as they are, and the proxy will handle everything. In fact, the solution is termed zeroDNS (because of Zero Trust + DNS), and on top of mTLS, it can also extend original DNS responses with Zero Trust authZ/authN tokens on demand. And every such token is based on the mTLS certificates the clients have.

Furthermore, it can also be used a fine-grained split DNS solution. Random Internet users can only resolve a company’s public-facing services, like its website. But if clients with mTLS certs connect to the same DNS resolver, they can resolve further company domains and can connect to them afterward.

You might check out the paper:here

Some follow-up discussion on the topic is available here

What do you think?

ScottS · June 1, 2023, 9:45pm

Hi… sorry it took a while to reply.

Setting up the server side was the easy part. The problem I had was with Firefox client doing mTLS. Has Mozilla done work to configure Firefox to support mTLS for DNS queries?