In today's digital landscape, security is a top priority. You're likely already using encryption at the application layer, but is your DNS traffic as secure? Your applications can leak valuable information to your internet service provider (ISP) and other network observers through unencrypted DNS queries.
Your computer constantly sends out DNS queries, quietly translating human-friendly names like company-server.redhat.com into IP addresses. These essential requests often travel over the network in plain, unencrypted text. This isn’t a minor detail; it’s an exploitable vulnerability.
An unencrypted DNS query is like sending a postcard through the mail; anyone can read what's on it. An encrypted DNS query, on the other hand, is like sending a sealed letter; only the intended recipient can read it.
Eavesdroppers on the same network, such as a malicious actor, an internet service provider, or a state-sponsored entity, can see a complete log of every domain you access. This exposes sensitive information about your organization's operations, users, and even potential intellectual property. Even worse, these plaintext queries are vulnerable to DNS spoofing, which is when an attacker can trick your system into connecting to a fake website or server. This can lead to data theft, malware infections, or critical security breaches.
Traditional DNS simply doesn't meet modern security demands.
From plaintext DNS to zero trust
This is where encrypted DNS becomes a fundamental building block for modern enterprise security. In a zero trust model, no user or device is trusted by default, regardless of its location on the network. Every connection and every access request must be verified. Plaintext DNS, which openly reveals communication patterns and potential targets, stands in direct opposition to this principle.
By encrypting your DNS queries, you eliminate a significant blind spot and achieve secure, verifiable name resolution. This strengthens your entire network infrastructure against internal and external threats. This crucial step directly aligns with mandates like the Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (M-22-09) memorandum and demonstrates a commitment to end-to-end data protection. It's not just about a single feature; it's about building a more resilient, modern, and trustworthy infrastructure.
Introducing DNS over TLS for Red Hat Enterprise Linux
DNS over TLS (DoT) is a new capability on Red Hat Enterprise Linux 10 and 9.6, available as a Technology Preview. This is the first time an enterprise Linux distribution has offered this capability, and it's a testament to our ongoing commitment to security innovation.
Experience the security and privacy of encrypted DNS during and after the installation process. You no longer have to worry about the period between installation and security hardening. This is a significant improvement for secure system provisioning and automated deployments.
How to encrypt your DNS
Here are the step-by-step instructions for creating a simple setup designed for testing and experimentation.
- Prepare a local RHEL installation media, such as a USB drive or a local ISO, to perform the installation. Remote installation methods that rely on DNS for resolution will not work with the strict security policy you will set.
- If you're using a DNS server with a custom Certificate Authority (CA), you must include the certificate bundle in the Kickstart file. This ensures the installer can securely communicate with your DoT server.
Ensure the certificate is saved in a file named
tls-ca-bundle.pem:%certificate --dir /etc/pki/dns/extracted/pem/ --filename tls-ca-bundle.pem -----BEGIN CERTIFICATE----- <Base64-encoded_certificate_content> -----END CERTIFICATE----- %endBoot the installation media. During the boot process, provide specific kernel arguments to configure eDNS. This tells the installer to use a DoT server and to enforce an exclusive policy, which prevents any fallback to unencrypted DNS.
linux ($root)/vmlinuz-6.12.0-0.el10_0.x86_64 root=/dev/mapper/rhel-root ro crashkernel=2G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet emergency ip=dhcp rd.net.dns=dns+tls://<server_ip_1>#<dns_server_hostname_1> rd.net.dns=dns+tls://<server_ip_2>#<dns_server_hostname_2> rd.net.dns-resolve-mode=exclusive rd.net.dns-backend=dnsconfd inst.ks=hd:/dev/sdb1/mykickstart.ksVerify your eDNS configuration:
dnsconfd status
With these five steps, you have implemented encrypted DNS (DoT) on your RHEL system.
The Red Hat security vision and future roadmap
We're dedicated to building a more resilient and modern infrastructure. Our security vision and future roadmap are all about providing you with more powerful tools. This includes support for DNS over HTTPS (DoH), which gives you more options for securing your DNS traffic.
We're also integrating high-level support directly into Red Hat Enterprise Linux image builder. You can easily build customized ISOs with these security features preconfigured, making deployment easier and ensuring your systems are secure from the start.
Continue your security journey
With a working encrypted DNS setup, you're ready to explore its full capabilities. As a Technology Preview, this encrypted DNS functionality is still under active development. We encourage you to experiment with it and provide feedback.
To dive deeper into the technical details and explore other security resources, here are some paths you can take:
