NSA advises companies to avoid third party DNS resolvers

[mood]

NSA advises companies to avoid third party DNS resolvers

 

 

The US National Security Agency (NSA) says that companies should avoid using third party DNS resolvers to block threat actors' DNS traffic eavesdropping and manipulation attempts and to block access to internal network information.

 

NSA's recommendation was made in a new advisory on the benefits (and risks) of using DNS over HTTPS (DoH) in enterprise environments, an encrypted domain name system (DNS) protocol that blocks unauthorized access to the DNS traffic between clients and DNS resolvers.

"NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver," the US intelligence agency said.

"This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information."

Block third-party DNS services

Companies are suggested to use their own enterprise-operated DNS servers or externally hosted services with built-in support for encrypted DNS requests such as DoH.

"However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure," the NSA added [PDF].

 

The NSA urges enterprise network administrators to disable and block all other DNS services besides their organizations' dedicated ones.

 

Network admins who disable DoH on their networks are also recommended to block "known DoH resolver IP addresses and domains" to block client attempts from using their own DoH resolvers instead of the DHCP-assigned DNS resolver.

 

The agency's advisory also provides additional details on the purpose of DoH and the importance of correctly configuring it to augment enterprise DNS security controls.

"We are releasing this guidance to our NSS, DIB, and DoD partners to help them manage encrypted DNS as it is automatically enabled by more applications, as part of our continuous efforts to provide timely, actionable, and relevant cybersecurity guidance," Neal Ziring, Technical Director at NSA, told BleepingComputer.

"Encrypted DNS features are becoming more widely supported in commercial products, and our customers need to understand the technology and potential trade-offs."

 

Today’s #cybersecurity release recommends how enterprises can adopt the encrypted DNS protocol DoH without sacrificing security control. Network owners and admins must understand the benefits/risks before adopting. Read more: https://t.co/qkKzckcltw

— NSA Cyber (@NSACyber) January 14, 2021

US government agencies also told to avoid third-party resolvers

Last year, US government agencies' CIOs were recommended to disable third-party encrypted DNS services until an official DNS resolution service with DoH and DNS over TLS (DoT) support would be available.

 

CISA also reminded that agencies are legally required to use the EINSTEIN 3 Accelerated (E3A) DNS service on all devices connected to federal agency networks as the primary (or ultimate) upstream DNS resolver for all local DNS recursive resolvers.

 

Until a DNS resolution service with DoH and DoT support was made available, federal agencies were also recommended to "set and enforce enterprise-wide policy (e.g., Group Policy Objects [GPO] for Windows environments) for installed browsers to disable DoH use."

 

DoH allows DNS resolution requests over encrypted HTTPS connections, while DoT will encrypt and wrap all DNS queries using the Transport Layer Security (TLS) protocol instead of using insecure plain text DNS lookups.

"The 'Adopting Encrypted DNS in Enterprise Environments' Cybersecurity Information Sheet provides National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators guidance on proper network configuration for handling encrypted domain name system traffic," Ziring added.

"NSA recommends customer enterprise network owners and administrators follow the guidance as detailed in the information sheet."

 

 

Source: NSA advises companies to avoid third party DNS resolvers

[MagicSahar]

Quote

The US National Security Agency has published today a guide on the benefits and risks of encrypted DNS protocols, such as DNS-over-HTTPS (DoH), which have become widely used over the past two years.

 

The US cybersecurity agency warns that while technologies like DoH can encrypt and hide user DNS queries from network observers, they also have downsides when used inside corporate networks.

"DoH is not a panacea," the NSA said in a security advisory [PDF] published today, claiming that the use of the protocol gives companies a false sense of security, echoing many of the arguments presented in a ZDNet feature on DoH in October 2019.

The NSA said that DoH does not fully prevent threat actors from seeing a user's traffic and that when deployed inside networks, it can be used to bypass many security tools that rely on sniffing classic (plaintext) DNS traffic to detect threats.

Furthermore, the NSA argues that many of today's DoH-capable DNS resolver servers are also externally hosted, outside of the company's control and ability to audit.

NSA: USE YOUR OWN DOH RESOLVERS, NOT FROM THIRD-PARTIES

The NSA urges companies to avoid using encrypted DNS technologies inside their own networks, or at least use a DoH-capable DNS resolver server that is hosted internally and under their control.

Moreover, the NSA argues that this same advice should also be applied to classic DNS servers, not just encrypted/DoH ones.

 

"NSA recommends that an enterprise network's DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver," the agency said.

"This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information.

"All other DNS resolvers should be disabled and blocked," the security agency said.

Read Here

[flash13]

@MagicSahar

 

Topic Merged.  Use search before posting.  This was already posted .

[mood]

NSA: DNS over HTTPS Provides “False Sense of Security”

 

The US National Security Agency (NSA) has warned enterprises that adoption of encrypted DNS services can lead to a false sense of security and even disrupt their own DNS-monitoring tools.

 

DNS over HTTPS (DoH) has become an increasingly popular way to improve privacy and integrity by protecting DNS traffic between a client and a DNS resolver from unauthorized access. This can help to prevent eavesdropping and manipulation of DNS traffic.

 

However, although such services are useful for home and mobile users and networks not using DNS controls, they are not recommended for most enterprises, the US security agency claimed in a new report.

 

DoH is “not a panacea,” as it doesn’t guarantee that threat actors can’t see where a client is going on the web, said the NSA.

“DoH is specifically designed to encrypt only the DNS transaction between the client and resolver, not any other traffic that happens after the query is satisfied,” the report noted.

“While this allows clients to privately obtain an IP address based on a domain name, there are other ways cyber-threat actors can determine information without reading the DNS request directly, such as monitoring the connection a client makes after the DNS request.”

 

Moreover, DoH can actually impair network monitoring tools designed to spot suspicious activity in DNS traffic.

“DoH encrypts the DNS traffic, which prevents enterprises from monitoring DNS with these network-based tools unless they are breaking and inspecting TLS traffic. If DoH is used with the enterprise resolver, then inspection can still occur at the resolver or using resolver logs,” the report continued.

 

“However, if external DoH resolvers are not blocked and DoH is enabled on the user’s browser or OS to use a different resolver, there could be issues gaining visibility into that encrypted DNS traffic.”

 

Malware can also use DoH to hide its C&C communications traffic, the NSA warned.

 

The agency urged enterprises that use monitoring tools to avoid using DoH inside their networks.

 

 

Source: NSA: DNS over HTTPS Provides “False Sense of Security”