DNS Encryption

For CPE-based Security

Keeping Users Secure with CPE-based

Protection

DNS acts as the address book of the internet and is a key

element in making services accessible by providing
human-readable domain names for internet services. For
consumers, any action on the internet starts with the client
looking up the IP addresses of the service using the domain
name system. These lookups are sent from the client
(computer, phone, or other device in a house) to the Customer
Premise Equipment (CPE1). This box is often referred to as
‘the Internet Service Provider (ISP) router’ or modem, which
facilitates the connection to the ISP.

1
The CPE often consists of a modem and router in one. This device acts as the connection point
between a user’s home network (via Wi-Fi or UTP cables in the house) and the internet providers
23208

network (via DSL, cable, or fiber connections).

 Because the CPE is the initial gateway into a user’s network, The importance of CPE-based filtering and other network
ISPs like to use it to provide users with security and protection security solutions is undisputed. The number of attacks, the
measures. This can include, for example, protection against methods used and the monetary damage caused by successful
malware, phishing, and other malicious activities, as well as attacks have been increasing disproportionately for years2.
parental control options. In addition, attacks such as Botnet
activation and other Distributed Denial of Service (DDoS) attacks In addition to increasing attacks on mobile devices, a rise in
can be blocked on the CPE before they can harm the operator’s banking trojans and gaming scams, there has also been a
network. To achieve this, ISPs, hardware manufacturers and noticeable increase in attacks targeting home and business
security providers place security solutions on the CPE, which routers, including the traffic passing this ‘front door’ into a user’s
filter DNS traffic and block any malicious content before it network of connected devices3. Therefore, filtering of DNS traffic
reaches a user’s connected devices. on CPE has an important part to play reducing the risks users
are exposed to online.
As a result, devices that connect to the internet through the
CPE can be secured from the network, which potentially 2
https://www.statista.com/statistics/267132/total-damage-caused-by-by-cyber-crime-in-the-us/
complements or replaces any on-device protection. 3
https://info.allot.com/CyberThreatReportQ22022_ContentDownloadLP.html

Amount of monetary damage caused by reported cyber crime to the IC3

from 2001 to 2022 (in million U.S. dollars)
Total damage in million U.S. dollars

Additional Information: Worldwide; IC3; FBI; 2001 to 2022, excluding 2010; Cybercrime reported to IC3 Sources: FBI; IC3 ©Statista 2023

Ability to Analyze Internet Traffic

For this to work, the security solutions on the CPE must be able
to analyze incoming DNS requests. Until recently, this was the
case, because the requests consisted of plaintext DNS, which
CPE-based security solutions were able to filter, block and so
could be used to provide protection.

However, because DNS forms such a critical control point on

the internet – and given that it was the last major unencrypted
internet protocol – operators, browser vendors, operating
system manufacturers and others are increasingly routing the
transmission of queries over the internet as encrypted HTTPS
traffic to provide end-user data privacy.
Complications From Increased Encryption
of DNS

The increased awareness around privacy from internet

providers led to huge interest for DNS encryption in the recent
past, resulting in an increased use of encrypted DNS with DNS
over TLS (DoT) and DNS over HTTPS (DoH) protocols.

Due to this encryption of DNS requests, however, security

solutions are no longer able to analyze the internet traffic,
and therefore no longer provide adequate protection. This
significantly reduces options for ISPs to provide security based
on filtering DNS traffic. This also applies to security solutions
placed on the CPE.

If they cannot handle encrypted DNS, they are no longer

able to identify malicious traffic and protect users as usual.

DNSdist Enables Encrypted DNS on CPE

PowerDNS recognized the demand for additional privacy and In addition, DNSdist 1.8 implements the ability to process
started offering DoH and DoT to enable encrypted DNS for ISPs queries and responses in an asynchronous way by
back in 2020. In addition, PowerDNS understands the challenge suspending the query processing. Together with some further
of CPE-based security solutions and therefore extended the DNS improvements, this provides the necessary mechanisms for
encryption capabilities by providing a solution for CPEs with an agent on the CPE to enable decision making for this specific
DNSdist 1.8. query, thus allowing for filtering on the CPE.

DNSdist 1.8 brings DNS encryption with DNS over TLS (DoT) At PowerDNS, we are very excited about this development and
and DNS over HTTP (DoH) to CPEs and therefore allows for the the possibilities it opens up. We believe that with this, DNSdist
protection of the confidentiality and integrity of traffic in the first will become an invaluable tool to have on routers, which will also
mile of internet access. help further drive the adoption of encrypted DNS while keeping
security solutions and protection of user viable.
Given the limitations of CPEs with their very few resources, in
order to allow DNSdist to run on this hardware, the memory With these developments, PowerDNS can work with CPE
usage and CPU consumption of DNSdist was reduced manufacturers and solution providers to offer security and
significantly for the typical ‘in-house’ use-case. DNsdist works encrypted DNS functionality on the router, close to the end-user.
effectively with OpenWrt’s native configuration format (Unified
Configuration Interface), so that it is easy to set up DNSdist via
the usual interfaces, including the OpenWrt Web UI. In addition,
DNSdist provides DHCP integration, so that it can learn about
devices on the local network and provide native DNS resolution.

© PowerDNS.com B.V. The information contained herein is subject to

change without notice. PowerDNS shall not be liable for technical or
editorial errors or omissions contained herein. All other company and/or
product names may be trademarks or registered trademarks of their owners.

powerdns.com | [email protected]