NSA Advises Companies To Avoid Third Party DNS Resolvers

The US National Security Agency (NSA) says that companies should avoid using third party DNS resolvers to block threat actors’ DNS traffic eavesdropping and manipulation attempts and to block access to internal network information.

NSA’s recommendation was made in a new advisory on the benefits (and risks) of using DNS over HTTPS (DoH) in enterprise environments, an encrypted domain name system (DNS) protocol that blocks unauthorized access to the DNS traffic between clients and DNS resolvers.

“NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver,” the US intelligence agency said.

“This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information.”

Also Read: Limiting Location Data Exposure: 8 Best Practices

Block third-party DNS services

Companies are suggested to use their own enterprise-operated DNS servers or externally hosted services with built-in support for encrypted DNS requests such as DoH.

“However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure,” the NSA added [PDF].

The NSA urges enterprise network administrators to disable and block all other DNS services besides their organizations’ dedicated ones.

Network admins who disable DoH on their networks are also recommended to block “known DoH resolver IP addresses and domains” to block client attempts from using their own DoH resolvers instead of the DHCP-assigned DNS resolver.

The agency’s advisory also provides additional details on the purpose of DoH and the importance of correctly configuring it to augment enterprise DNS security controls.

“We are releasing this guidance to our NSS, DIB, and DoD partners to help them manage encrypted DNS as it is automatically enabled by more applications, as part of our continuous efforts to provide timely, actionable, and relevant cybersecurity guidance,” Neal Ziring, Technical Director at NSA, told BleepingComputer.

“Encrypted DNS features are becoming more widely supported in commercial products, and our customers need to understand the technology and potential trade-offs.”

US government agencies also told to avoid third-party resolvers

Last year, US government agencies’ CIOs were recommended to disable third-party encrypted DNS services until an official DNS resolution service with DoH and DNS over TLS (DoT) support would be available.

CISA also reminded that agencies are legally required to use the EINSTEIN 3 Accelerated (E3A) DNS service on all devices connected to federal agency networks as the primary (or ultimate) upstream DNS resolver for all local DNS recursive resolvers.

Until a DNS resolution service with DoH and DoT support was made available, federal agencies were also recommended to “set and enforce enterprise-wide policy (e.g., Group Policy Objects [GPO] for Windows environments) for installed browsers to disable DoH use.”

DoH allows DNS resolution requests over encrypted HTTPS connections, while DoT will encrypt and wrap all DNS queries using the Transport Layer Security (TLS) protocol instead of using insecure plain text DNS lookups.

“The ‘Adopting Encrypted DNS in Enterprise Environments’ Cybersecurity Information Sheet provides National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators guidance on proper network configuration for handling encrypted domain name system traffic,” Ziring added.

Also Read: 10 Practical Benefits of Managed IT Services

“NSA recommends customer enterprise network owners and administrators follow the guidance as detailed in the information sheet.”