Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

CISA Reminds Federal Agencies to Use Its DNS Service

A memorandum sent by the United States Cybersecurity and Infrastructure Security Agency (CISA) to Chief Information Officers (CIOs) at federal agencies reminds them to use EINSTEIN 3 Accelerated (E3A)’s Domain Name System (DNS) sinkholing capability for DNS resolution.

A memorandum sent by the United States Cybersecurity and Infrastructure Security Agency (CISA) to Chief Information Officers (CIOs) at federal agencies reminds them to use EINSTEIN 3 Accelerated (E3A)’s Domain Name System (DNS) sinkholing capability for DNS resolution.

Working as a phonebook for the Internet, DNS is what facilitates most communications, translating domain names into IP addresses. However, DNS is also often used as an attack vector, which is why it’s important that organizations don’t neglect DNS security.

In the United States, DNS resolution services provided by CISA are mandatory in most federal agencies in the executive branch. Otherwise, agencies no longer benefit from the provided cybersecurity protections, while CISA loses insight.

In the recently issued memo, CISA reminds agencies that their local DNS recursive resolvers should use its DNS service (E3A) as their primary (or ultimate) upstream DNS resolver.

“The vast majority of agencies already do this, but particularly in light of increased telework, we felt it worth reiterating. In most instances where agencies bypass our protections, the reasons for non-use are well-intentioned,” Bryan Ware, assistant director at CISA, points out.

In some cases, agencies employ other protections that CISA currently does not offer or does not support. The direct use of mobile devices and cloud infrastructure are some of these cases, while others include encrypted DNS resolution services such as DNS over HTTPS (DoH) and DNS over TLS (DoT).

E3A does not currently offer encrypted DNS resolution, but CISA plans to provide a DNS resolution service with support for DoH and DoT, which are already supported by various Internet organizations out there (including Mozilla and Google, which added DoH to Firefox and Chrome).

“CISA encourages efforts to make network communications encrypted by default. Doing so increases user security, making it harder for attackers to monitor and modify communication,” Christopher C. Krebs, the director of CISA, says.

According to CISA, the approaches taken by Mozilla, Google, and others are “thoughtful, and can increase the security and privacy of their users.” Moreover, the agency believes that the use of encrypted DNS resolution will result in updates to how organizations protect users from malicious DNS traffic.

“Until DoH and DoT resolution services are available from CISA, set and enforce enterprise-wide policy for installed browsers to disable DoH use,” the memo reads.

CISA also recommends that agencies configure their local DNS recursive resolvers to utilize well-known public resolvers as fallback, such as those from Cisco (208.67.222.222 and 208.67.220.220), Cloudflare (1.1.1.1 and 1.0.0.1), Google (8.8.8.8 and 8.8.4.4), and Quad9 (9.9.9.9 and 149.112.112.112).

In addition to making recommendations, the memo reveals that CISA will provide reports on potential DNS traffic anomalies, and that it will evaluate the state of federal DNS security in six months, when it will also consider additional actions, if necessary.

Related: House Committee Passes Bills Improving CISA Leadership and Authority

Related: Patching Pulse Secure VPN Not Enough to Keep Attackers Out, CISA Warns

Related: CISA Announces Open Source Post-Election Auditing Tool

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.