Security Protocols

DNS Encryption. 

• BLUF: Securs the communication between one's device(s) and the servers that translate domain names (like [invalid URL removed]) into numerical IP addresses. This helps protect your privacy and security

• Preventing eavesdropping: The communication is scrambled, making it unreadable to anyone snooping on your network traffic. This means they can't see which websites you're trying to visit.

• Stopping spoofing (disguising) attacks: Malicious actors can sometimes tamper with unencrypted DNS requests, redirecting you to fake websites designed to steal your information. DNS encryption helps ensure you're connecting to the legitimate website you intended.

Major approaches to DNS Encryption: (2)

1. DNSSEC (Domain Name System Security Extensions):

   • Focus: DNSSEC secures the data itself, ensuring it hasn't been tampered with during transmission.

   • Analogy: Think of it like a document with a tamper-proof seal and a signature to verify its authenticity.

   • Technical details:

     1. Uses digital signatures and cryptographic keys to verify the source and integrity of DNS data.

     2. Requires cooperation between DNS resolvers and domain owners to implement.

2. DoT / DoH / DoQ:

   • BLUF: 

     1. DoT (DNS over TLS) -- Domain Name System (DNS) over Transport Layer Security (TLS).

     2. DoH (DNS over HTTPS) -- DNS over Hypertext Transfer Protocol Security (HTTPS).

     3. DoQ (DNS over QUIC) -- DNS over Quick UDP (Transfer Layer) Internet Connections (QUIC).

   • Focus: These protocols encrypt the communication channel between your device and the DNS resolver.

   • Analogy: Imagine sending your DNS requests through a secure tunnel, hidden from prying eyes.

   • Technical details:

     1. It encrypts the communication using secure protocols like TLS or HTTPS (similar to secure browsing).

     2. Hide the content of your DNS requests (domain names) from anyone monitoring your network traffic.

     3. Doesn't necessarily guarantee the authenticity of the DNS data itself (unlike DNSSEC).

   • Considerations: (3)

     1. Deployment: 

        • DoT and DoH are becoming more widely available

        • DoQ is a newer protocol still under development.

     2. Performance: 

        • DNSSEC can introduce a slight overhead due to the additional processing involved in verifying signatures. Encrypted tunnels (DoT/DoH/DoQ) might also have a small impact on speed compared to unencrypted DNS.

     3. Privacy vs. Security: 

        • DoT/DoH offer strong privacy by hiding your DNS requests, but some governments or organizations might restrict their use. DNSSEC focuses on data security but doesn't necessarily hide the content of your requests.

Challenges of DNS Encryption. (5)

While DNS encryption offers significant security and privacy benefits, there are still some challenges to consider:

1. Limited Native Support: Azure DNS itself currently doesn't offer built-in functionality for DNS encryption. You need to leverage external solutions or configurations within your Azure environment.

2. Configuration Complexity: Implementing external DNS solutions like secure DNS forwarders or automation scripts requires additional configuration compared to using Azure DNS directly. This can add complexity, especially for managing multiple resources.

3. Performance Impact: DNS encryption adds a slight overhead to DNS resolution times due to the encryption process. While usually minimal, this impact might be a concern for very performance-sensitive applications.

4. Vendor Lock-in: Using a third-party DNS provider with DoT/DoH support might introduce some vendor lock-in. Switching providers would require reconfiguring your Azure resources to use different DNS servers.

5. Management Overhead: Managing and maintaining secure DNS forwarders or automation scripts requires some technical expertise. This adds an extra layer of responsibility for your IT team.

Azure Tools (2/1).

• BLUF: Azure DNS itself currently lacks built-in DNS Encryption functionalities; achieving this requires looking at external solutions or functionalities within your overall Azure environment. 

• 2 Main Approaches to Leverage Azure for DNS Encryption:

  1. Azure Virtual Network (VN) with DNS Forwarder:

     • Concept: You can set up a secure DNS forwarder within your Azure Virtual Network (VN). This forwarder acts as an intermediary between your Azure resources and external DNS resolvers.

     • Process:

       1. Deploy a virtual machine (VM) within your VN.

       2. Install and configure a third-party DNS forwarder software on the VM with DNS encryption capabilities like DoT (DNS over TLS) or DoH (DNS over HTTPS). Popular options include BIND with DNSSEC support, PowerDNS Recursor, or Unbound.

       3. Configure your Azure resources within the VN to use the VM's IP address as their primary DNS server. The forwarder then encrypts communication with the upstream public DNS resolvers chosen (e.g., Google Public DNS, Cloudflare DNS).

  2. Azure Automation with Custom Script:

     • Concept: This approach utilizes Azure Automation, a service for automating tasks and configurations in Azure. You can create a custom script that configures your Azure VMs or resources to use a secure external DNS provider with DoT/DoH support.

     • Process:

       1. Develop a script that automates the configuration of DNS settings on your Azure VMs or resources. The script can leverage tools like the resolvectl command on Linux VMs or the netsh command on Windows VMs to point them to a DoT/DoH-enabled DNS provider.

       2. Create an Azure Automation account and define a runbook that executes your custom script. You can schedule the runbook to apply the configuration automatically or trigger it manually as needed.

  3. InfoBlox (Not Azure).

     • Link: https://www.infoblox.com/solutions/encrypted-dns/ 

File Transfer Protocols.

1. AS2 (Applicability Statement 2): (1) A secure protocol for securely exchanging business data over the Internet. It's precious for exchanging Electronic Data Interchange (EDI) documents between businesses. (2) Offers a secure, efficient, and widely used way businesses exchange data, streamlining communication and ensuring data integrity.

   • Value:

     1. Security:  AS2 leverages technologies like HTTPS, S/MIME encryption, and digital certificates to ensure data is transferred securely. This is crucial for sensitive business documents like invoices or purchase orders.

     2. Efficiency: AS2 utilizes HTTP, the same protocol that web browsing relies on, making it a familiar and efficient way to transfer data.

     3. Universality: Major retailers and countless businesses worldwide use AS2, making it a reliable and standardized method for data exchange.

     4. Versatility: While commonly used for EDI, AS2 can handle various file formats, including XML, plain text, and even binary files.

2. FTPS (File Transfer Protocol Secure) (3): (1) A File Transfer Protocol (FTP) that adds a layer of security for transferring files over a network. (2) While both offer encryption, explicit FTPS might require some additional configuration on the client depending on the software. (3) FTPS provides a solid solution for securing file transfers over existing FTP workflows. It offers a balance between security and ease of use, making it a valuable tool for many data transfer needs.

   • Two variations of FTPS:

     1. Implicit FTPS: This uses a dedicated secure port (FTPS on port 990) and doesn't require any special configuration on the client side.

     2. Explicit FTPS: This leverages a standard FTP port 21 and initiates a secure connection using TLS commands after the initial connection.

   • Value:

     1. Security:  Unlike standard FTP, FTPS encrypts the entire communication channel between the client and server using TLS/SSL encryption. This safeguards your data from eavesdropping or tampering during transfer.

     2. Familiar Functionality: FTPS maintains the core functionality of FTP, making it easy to use for those already familiar with FTP clients and commands. The transition to a secure file transfer method becomes smoother.

     3. Compatibility: FTPS works with most existing FTP servers and clients, eliminating the need for drastic changes to your existing infrastructure.

3. SFTP (Secure File Transfer Protocol). A network protocol that enables secure and encrypted file transfers between a client and a server. It provides a significant upgrade over the traditional File Transfer Protocol (FTP) by leveraging Secure Shell (SSH) for both authentication and data encryption.

   • Value: 

     1. Enhanced Security:  SFTP utilizes SSH, a robust protocol known for its strong security features. This includes secure user authentication methods like passwords or public key logins, along with encryption of the entire data stream during transfer. This ensures your files, especially sensitive ones, are protected from unauthorized access or tampering.

     2. Reliable File Transfer:  SFTP relies on the reliable transport protocol SSH, which ensures data integrity and retransmission in case of errors. This minimizes the risk of corrupted files during transfer.

     3. Multi-functionality:  Beyond secure file transfers, SFTP also inherits some file management functionalities from SSH. You can browse directories, create and delete remote directories/files, and perform basic file permission changes – all within a secure connection.

     4. Wide Adoption:  Like FTP, SFTP is widely supported by various operating systems and file transfer applications. This makes it a convenient and interoperable solution for secure file exchange across different platforms.