The increasing adoption of encrypted communication protocols such as DNS over HTTPS (DoH), DNS over TLS (DoT), QUIC, and modern browser features has introduced significant challenges for organizations. As encryption becomes more widespread, maintaining visibility and enforcing security policies have become increasingly difficult. Encrypted traffic provides attackers with new ways to bypass traditional security controls, raising risks from threats like DNS tunneling, spoofing, and NXDOMAIN exploitation.
To address these risks, Safe Internet Access (SIA) offers a powerful solution that provides enhanced control and visibility over encrypted communication without disrupting existing network architecture. This blog explores how SIA strengthens security in an era of growing encrypted traffic.
Why SIA?
In the current cybersecurity landscape, the default use of DoH and DoT in modern browsers allows attackers to evade DNS-based security controls, creating blind spots in network monitoring. SIA addresses this issue by enabling organizations to manage and enforce security policies on encrypted communication, offering critical visibility needed to detect and prevent malicious activities.
Key Challenges in Encrypted Communication
DNS Tunneling: Attackers leverage DNS queries to exfiltrate data or establish covert communication channels. Sensitive information can be hidden within DNS queries using encoding methods like base64 or hexadecimal.
DNS Spoofing: Manipulated DNS payloads redirect users to malicious websites, potentially leading to phishing or malware distribution.
NXDOMAIN Amplification: Attackers exploit NXDOMAIN (non-existent domain) responses to amplify traffic, which can overwhelm a victim's infrastructure, often leading to Distributed Denial of Service (DDoS) attacks.
Malware Communication: Malware can use DNS queries to exfiltrate sensitive data, splitting it into subdomains of the query and triggering NXDOMAIN responses, evading typical detection mechanisms.
Bypassing DNS-Based Filters: DoH and DoT protocols bypass DNS-based filtering, exposing organizations to harmful content that would otherwise be blocked.
IP-Based Requests: Direct IP-based HTTP/HTTPS requests bypass domain-based filtering, presenting a threat since HTTPS certificates cannot be validated against domain names, allowing for the potential acceptance of untrusted certificates.
SIA’s Solution for Encrypted Communication Management
Underscore’s Safe Internet Access (SIA) is designed to mitigate the risks associated with encrypted traffic by offering real-time analysis, threat detection, and policy enforcement. Deployed in inline transparency mode at the traffic gateway, SIA ensures visibility into encrypted communication without requiring major architectural changes or reconfiguration of IP addressing.
Key Features of SIA:
1. DNS Traffic Management
Blocking FQDN Queries Based on Blacklist: SIA manages DNS traffic by blocking Fully Qualified Domain Name (FQDN) queries that match entries in the organization’s blacklist. For example, if a DNS request is made to access a malicious domain like example.org, SIA checks the domain against its blacklist and blocks it if a match is found.
Pre-emptive Blocking of Non-Existent Domains: To prevent malware from exploiting NXDOMAIN responses for data exfiltration, SIA proactively blocks queries to non-existent domains. If DNS tunneling is detected, SIA blocks the NXDOMAIN-triggering domain, providing an additional layer of protection.
Blocking DNS Requests from Unapproved Sources: SIA ensures that DNS traffic is only accepted from approved source IPs. For instance, if DNS traffic originates from an unauthorized IP address, SIA blocks the traffic and generates an alert, helping maintain network integrity.
2. IP-Based HTTP and HTTPS Traffic Management
Blocking Direct IP-Based Requests: SIA blocks direct IP-based HTTP and HTTPS requests to prevent users from bypassing DNS-based filtering. For example, if a client attempts to access https://104.105.11.44/, SIA captures and blocks the request, ensuring that unauthorized access to resources via IP addresses is prevented.
3. Seamless Reporting and SIEM Integration
SIA provides comprehensive reports and alerts on blocked DNS requests, NXDOMAIN responses, and direct IP-based traffic. These reports can be forwarded to Security Information and Event Management (SIEM) systems, ensuring seamless integration with the organization’s existing security infrastructure. This integration allows security teams to maintain visibility over network activity and respond more effectively to potential threats.
Conclusion
Underscore’s Safe Internet Access (SIA) provides organizations with a powerful tool to enhance security policy enforcement in an era of increasingly encrypted communication. By managing DNS traffic, preventing DNS tunneling, blocking IP-based requests, and integrating with SIEM systems, SIA addresses the unique challenges posed by modern encryption protocols.
SIA ensures that organizations can maintain visibility and control over encrypted traffic, mitigating risks while strengthening their overall cybersecurity defenses. For modern enterprises facing evolving threats, SIA offers a critical step forward in securing communication channels and ensuring compliance with security policies—without disrupting existing network operations.
By deploying SIA, organizations are well-positioned to safeguard their networks from hidden threats within encrypted traffic, enhancing their resilience against sophisticated cyberattacks.
Comments