The Cybersecurity and Infrastructure Security Agency's (CISA) detailed document, Encrypted DNS Implementation Guidance, provides government agencies with the ability to use encrypted Domain Name System (DNS) protocols to improve cybersecurity. It explains how to do it.
This advice is in line with Office of Management and Budget (OMB) Memorandum M-22-09, which established a “zero trust” cybersecurity plan for departments of the federal civilian executive branch (FCEB).
executive summary
This document, published in April 2024, details how federal agencies must meet federal requirements for encryption of DNS data.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
M-22-09 and 6 USC § 663 Note, emphasize the use of CISA's Protective DNS functionality for all outbound DNS resolution, as required by agency responsibilities.
These guidelines help government network professionals protect their DNS infrastructure using the latest technology tools.
OMB released Memorandum M-22-09, Federal Zero Trust Strategy, on January 26, 2022, in support of Executive Order 14028, Improving the Nation's Cybersecurity.
The plan calls for all DNS traffic within FCEB institutions to be encrypted by FY24. The purpose of this document is to enable government agencies to use encrypted DNS protocols that align with these Zero Trust concepts.
Agency introduction checklist
This advice lists the most important rules and recommended methods for encrypting DNS data and using CISA's Protective DNS for upstream DNS resolution.
Setting up your agency's DNS infrastructure to handle encrypted DNS protocols is one of the most important points.
- Configure the reseller's DNS infrastructure to support encrypted DNS protocols.
- Use Secure DNS as your upstream provider.
- Disable DNS root hints and other mechanisms that can bypass secure DNS.
- Configure your SASE/SSE solution to send DNS queries for all devices over encrypted protocols.
- Verify that on-premises and roaming endpoints use approved DNS configurations.
gradual implementation
Given the complexity of migrating to encrypted DNS, the guidance recommends a phased approach.
- Use secure DNS: Configure your internal DNS infrastructure to use secure DNS.
- Block unauthorized DNS traffic: Configure your network to block unauthorized DNS traffic.
- Encrypt DNS traffic using Secure DNS: Use encrypted DNS when communicating with secure DNS.
- Encrypt DNS for roaming and nomadic endpoints: Configure the endpoint to use the SASE/SSE solution for DNS requests.
- Encrypting DNS traffic in cloud deployments: Configure your cloud deployment to use encrypted DNS.
- Encrypt DNS traffic for on-premises endpoints: Supports encrypted DNS protocols for on-premises endpoints.
This document provides detailed technical instructions on how to use CISA's Secure DNS service and how to encrypt DNS.that
Learn how to encrypt DNS data, including DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC.
It also describes how to use secure DNS to prevent endpoints from resolving malicious names.
Implementation advice based on vendor
Appendix A contains advice on implementing web browsers, operating systems, and DNS servers specific to each vendor.
Learn exactly how to set up Firefox, Chrome, Safari, Microsoft Windows, macOS, iOS/iPadOS, BIND DNS Server, Microsoft DNS Server, Azure Private DNS Server, and Infoblox DNS appliances to handle encrypted DNS protocols. I will explain.
CISA's Encrypted DNS Implementation Guidance is critical for government agencies that want to improve security using encrypted DNS protocols.
This is primarily for FCEB institutions, but may also be useful for other groups in their Zero Trust endeavors. Guidance papers are marked and can be safely viewed and shared by anyone.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
