US government agencies’ chief information officers were recommended today to disable third-party encrypted DNS services until an official DNS resolution service with DNS over HTTPS (DoH) and DNS over TLS (DoT) support is ready.
Until then, agencies were reminded that they are legally required to use the EINSTEIN 3 Accelerated (E3A) DNS service on devices connected to federal agency networks, although the Cybersecurity and Infrastructure Security Agency (CISA) encourages vendors’ current efforts to make network traffic encryption the default choice for users.
E3A provides a DNS sinkholing service, which automatically protects users by blocking their access to malicious infrastructure by overriding public DNS records identified as harmful. This DNS resolver service also provides CISA with “insight into DNS requests made from agency networks.”
DoH allows DNS resolution requests over encrypted HTTPS connections, while DoT encrypts and wraps all DNS queries via the Transport Layer Security (TLS) protocol instead of using insecure plain text DNS lookups.
Requirements and recommendations
According to a memorandum sent today by CISA Director Christopher C. Krebs, government agencies are required to set E3A as the primary (or ultimate) upstream DNS resolver for all local DNS recursive resolvers.
Among several recommendations, US govt agencies are advised to configure fallback upstream DNS resolvers using public resolvers such as the ones provided by Cloudflare, Google, Quad9, or Cisco, with the mention that agencies should let CISA know of their choice to more accurately understand traffic on their networks.
Until a DNS resolution service with support for DoH and DoT is provided by CISA, federal agencies are also recommended to “set and enforce enterprise-wide policy (e.g., Group Policy Objects [GPO] for Windows environments) for installed browsers to disable DoH use.”
NEW: As the federal government’s #cyber adviser, we’ve issued a memo to remind federal agencies of their responsibilities concerning Domain Name System (#DNS) service. Read more: https://t.co/mkcUV7g1cL
— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 30, 2020
“CISA encourages efforts to make network communications encrypted by default. Doing so increases user security, making it harder for attackers to monitor and modify communication,” Director Krebs said.
“DoH and DoT add desirable security features to DNS resolution; however, federal agencies that use DNS resolvers other than E3A lose the protection that defensive DNS filtering provides, and E3A does not currently offer encrypted DNS resolution.
“CISA intends to offer a DNS resolution service that supports DoH and DoT in time. Until then, agencies must use E3A for DNS resolution.”
Encrypted DNS rollout, trials, and future plans
Mozilla has already rolled out DNS-over-HTTPS by default to all Firefox users in the U.S. starting February 25, 2020, enabling Cloudflare’s DNS provider with users still being able to switch to NextDNS or another custom provider from Firefox’s network options.
Google is also running a limited DoH trial on all supported platforms other than Linux and iOS starting with the release of Chrome 79. Unlike Mozilla, Google will not change the DNS provider but instead will only upgrade Chrome’s DNS resolution protocol only for default providers with DoH support.
Microsoft has also announced during mid-November 2019 that it will add DoH support to the Windows DNS client in a future Windows 10 release, with plans to only upgrade the protocol to encrypted DNS for default providers that come with this feature.
“There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn’t universal,” Microsoft said at the time.
“To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.”