US government agencies’ chief information officers were recommended today to disable third-party encrypted DNS services until an official DNS resolution service with DNS over HTTPS (DoH) and DNS over TLS (DoT) support is ready.

Until then, agencies were reminded that they are legally required to use the EINSTEIN 3 Accelerated (E3A) DNS service on devices connected to federal agency networks, although the Cybersecurity and Infrastructure Security Agency (CISA) encourages vendors’ current efforts to make network traffic encryption the default choice for users.

E3A provides a DNS sinkholing service, which automatically protects users by blocking their access to malicious infrastructure by