Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

NSA Publishes Guidance for Enterprises on Adoption of Encrypted DNS

The National Security Agency (NSA) on Wednesday published guidance for businesses on the adoption of an encrypted domain name system (DNS) protocol, specifically DNS over HTTPS.

The National Security Agency (NSA) on Wednesday published guidance for businesses on the adoption of an encrypted domain name system (DNS) protocol, specifically DNS over HTTPS.

Designed to translate the domain names included in URLs into IP addresses, for an easier navigation of the Internet, DNS has become a popular attack vector, mainly because requests and responses are transmitted in plaintext.

DNS over HTTPS, or DoH, aims to address this shortcoming by sending DNS requests over HTTPS, encrypted, and thus protecting traffic between a client and a DNS resolver. DoH improves privacy and integrity, preventing eavesdropping and DNS traffic manipulation, and is enjoying increasing adoption among enterprises.

To ensure they can continue to govern DNS usage within their networks, enterprises need to allow only for a specific DoH resolver to be used. The use of DNS controls within enterprise environments can prevent techniques that threat actors use for initial access, data exfiltration, or command and control.

“Using DoH with external resolvers can be good for home or mobile users and networks that do not use DNS security controls. For enterprise networks, however, NSA recommends using only designated enterprise DNS resolvers in order to properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources, and protect internal network information,” the NSA notes.

Enterprises can use either own-operated DNS servers or external services, but support for encrypted DNS requests such as DoH is crucial for ensuring local privacy and integrity protections, NSA notes. The agency also recommends disabling other encrypted DNS resolvers and ensuring that all DNS traffic, either encrypted or not, is sent to the designated enterprise DNS resolver only.

“However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure,” the agency explains.

The newly published NSA guidance not only provides information on how DNS and DoH work, but also details the purpose behind the DoH design, as well as why enterprise networks should be appropriately configured to add benefits to DNS security controls.

Advertisement. Scroll to continue reading.

By applying the provided recommendations, the NSA says, enterprise network owners and admins can balance privacy and governance when it comes to DNS.

Related: CISA Reminds Federal Agencies to Use Its DNS Service

Related: Firefox Gets DNS-over-HTTPS as Default in U.S.

Related: Identifying DNS-Over-HTTPS Traffic Without Decryption Possible: Researcher

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.