Windows 10 News and info | Forum
March 09, 2021, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: NSA advises companies to avoid third party DNS resolvers  (Read 34 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 32288


I Do Windows


WWW Email
« on: January 15, 2021, 02:05:18 PM »
ReplyReply

The US National Security Agency (NSA) says that companies should avoid using third party DNS resolvers to block threat actors' DNS traffic eavesdropping and manipulation attempts and to block access to internal network information.

NSA's recommendation was made in a new advisory on the benefits (and risks) of using DNS over http (DoH) in enterprise environments, an encrypted domain name system (DNS) protocol that blocks unauthorized access to the DNS traffic between clients and DNS resolvers.

"NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver," the US intelligence agency said.

"This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information."

Block third-party DNS services

Companies are suggested to use their own enterprise-operated DNS servers or externally hosted services with built-in support for encrypted DNS requests such as DoH.

"However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure," the NSA added [PDF].

The NSA urges enterprise network administrators to disable and block all other DNS services besides their organizations' dedicated ones.

Network admins who disable DoH on their networks are also recommended to block "known DoH resolver IP addresses and domains" to block client attempts from using their own DoH resolvers instead of the DHCP-assigned DNS resolver.

The agency's advisory also provides additional details on the purpose of DoH and the importance of correctly configuring it to augment enterprise DNS security controls.

"We are releasing this guidance to our NSS, DIB, and DoD partners to help them manage encrypted DNS as it is automatically enabled by more applications, as part of our continuous efforts to provide timely, actionable, and relevant cybersecurity guidance," Neal Ziring, Technical Director at NSA, told BleepingComputer.

"Encrypted DNS features are becoming more widely supported in commercial products, and our customers need to understand the technology and potential trade-offs."

US government agencies also told to avoid third-party resolvers

Last year, US government agencies' CIOs were recommended to disable third-party encrypted DNS services until an official DNS resolution service with DoH and DNS over TLS (DoT) support would be available.

CISA also reminded that agencies are legally required to use the EINSTEIN 3 Accelerated (E3A) DNS service on all devices connected to federal agency networks as the primary (or ultimate) upstream DNS resolver for all local DNS recursive resolvers.

Until a DNS resolution service with DoH and DoT support was made available, federal agencies were also recommended to "set and enforce enterprise-wide policy (e.g., Group Policy Objects [GPO] for Windows environments) for installed browsers to disable DoH use."

DoH allows DNS resolution requests over encrypted http connections, while DoT will encrypt and wrap all DNS queries using the Transport Layer Security (TLS) protocol instead of using insecure plain text DNS lookups.

"The 'Adopting Encrypted DNS in Enterprise Environments' Cybersecurity Information Sheet provides National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators guidance on proper network configuration for handling encrypted domain name system traffic," Ziring added.

"NSA recommends customer enterprise network owners and administrators follow the guidance as detailed in the information sheet."

source
Logged


Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page February 25, 2021, 06:38:15 AM