A memorandum sent by the United States Cybersecurity and Infrastructure Security Agency (CISA) to Chief Information Officers (CIOs) at federal agencies reminds them to use EINSTEIN 3 Accelerated (E3A)’s Domain Name System (DNS) sinkholing capability for DNS resolution.
Working as a phonebook for the Internet, DNS is what facilitates most communications, translating domain names into IP addresses. However, DNS is also often used as an attack vector, which is why it’s important that organizations don’t neglect DNS security.
In the United States, DNS resolution services provided by CISA are mandatory in most federal agencies in the executive branch. Otherwise, agencies no longer benefit from the provided cybersecurity protections, while CISA loses insight.
In the recently issued memo, CISA reminds agencies that their local DNS recursive resolvers should use its DNS service (E3A) as their primary (or ultimate) upstream DNS resolver.
“The vast majority of agencies already do this, but particularly in light of increased telework, we felt it worth reiterating. In most instances where agencies bypass our protections, the reasons for non-use are well-intentioned,” Bryan Ware, assistant director at CISA, points out.
In some cases, agencies employ other protections that CISA currently does not offer or does not support. The direct use of mobile devices and cloud infrastructure are some of these cases, while others include encrypted DNS resolution services such as DNS over HTTPS (DoH) and DNS over TLS (DoT).
E3A does not currently offer encrypted DNS resolution, but CISA plans to provide a DNS resolution service with support for DoH and DoT, which are already supported by various Internet organizations out there (including Mozilla and Google, which added DoH to Firefox and Chrome).
“CISA encourages efforts to make network communications encrypted by default. Doing so increases user security, making it harder for attackers to monitor and modify communication,” Christopher C. Krebs, the director of CISA, says.
According to CISA, the approaches taken by Mozilla, Google, and others are “thoughtful, and can increase the security and privacy of their users.” Moreover, the agency believes that the use of encrypted DNS resolution will result in updates to how organizations protect users from malicious DNS traffic.
“Until DoH and DoT resolution services are available from CISA, set and enforce enterprise-wide policy for installed browsers to disable DoH use,” the memo reads.
CISA also recommends that agencies configure their local DNS recursive resolvers to utilize well-known public resolvers as fallback, such as those from Cisco (22.214.171.124 and 126.96.36.199), Cloudflare (188.8.131.52 and 184.108.40.206), Google (220.127.116.11 and 18.104.22.168), and Quad9 (22.214.171.124 and 126.96.36.199).
In addition to making recommendations, the memo reveals that CISA will provide reports on potential DNS traffic anomalies, and that it will evaluate the state of federal DNS security in six months, when it will also consider additional actions, if necessary.