Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

CISA Reminds Federal Agencies to Use Its DNS Service

A memorandum sent by the United States Cybersecurity and Infrastructure Security Agency (CISA) to Chief Information Officers (CIOs) at federal agencies reminds them to use EINSTEIN 3 Accelerated (E3A)’s Domain Name System (DNS) sinkholing capability for DNS resolution.

A memorandum sent by the United States Cybersecurity and Infrastructure Security Agency (CISA) to Chief Information Officers (CIOs) at federal agencies reminds them to use EINSTEIN 3 Accelerated (E3A)’s Domain Name System (DNS) sinkholing capability for DNS resolution.

Working as a phonebook for the Internet, DNS is what facilitates most communications, translating domain names into IP addresses. However, DNS is also often used as an attack vector, which is why it’s important that organizations don’t neglect DNS security.

In the United States, DNS resolution services provided by CISA are mandatory in most federal agencies in the executive branch. Otherwise, agencies no longer benefit from the provided cybersecurity protections, while CISA loses insight.

In the recently issued memo, CISA reminds agencies that their local DNS recursive resolvers should use its DNS service (E3A) as their primary (or ultimate) upstream DNS resolver.

“The vast majority of agencies already do this, but particularly in light of increased telework, we felt it worth reiterating. In most instances where agencies bypass our protections, the reasons for non-use are well-intentioned,” Bryan Ware, assistant director at CISA, points out.

In some cases, agencies employ other protections that CISA currently does not offer or does not support. The direct use of mobile devices and cloud infrastructure are some of these cases, while others include encrypted DNS resolution services such as DNS over HTTPS (DoH) and DNS over TLS (DoT).

E3A does not currently offer encrypted DNS resolution, but CISA plans to provide a DNS resolution service with support for DoH and DoT, which are already supported by various Internet organizations out there (including Mozilla and Google, which added DoH to Firefox and Chrome).

“CISA encourages efforts to make network communications encrypted by default. Doing so increases user security, making it harder for attackers to monitor and modify communication,” Christopher C. Krebs, the director of CISA, says.

Advertisement. Scroll to continue reading.

According to CISA, the approaches taken by Mozilla, Google, and others are “thoughtful, and can increase the security and privacy of their users.” Moreover, the agency believes that the use of encrypted DNS resolution will result in updates to how organizations protect users from malicious DNS traffic.

“Until DoH and DoT resolution services are available from CISA, set and enforce enterprise-wide policy for installed browsers to disable DoH use,” the memo reads.

CISA also recommends that agencies configure their local DNS recursive resolvers to utilize well-known public resolvers as fallback, such as those from Cisco (208.67.222.222 and 208.67.220.220), Cloudflare (1.1.1.1 and 1.0.0.1), Google (8.8.8.8 and 8.8.4.4), and Quad9 (9.9.9.9 and 149.112.112.112).

In addition to making recommendations, the memo reveals that CISA will provide reports on potential DNS traffic anomalies, and that it will evaluate the state of federal DNS security in six months, when it will also consider additional actions, if necessary.

Related: House Committee Passes Bills Improving CISA Leadership and Authority

Related: Patching Pulse Secure VPN Not Enough to Keep Attackers Out, CISA Warns

Related: CISA Announces Open Source Post-Election Auditing Tool

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.