Network Security

NSA urges use of enterprise resolvers to protect DNS traffic on corporate networks

NSA advises security pros to use designated enterprise DNS resolvers to lock down DoH on corporate networks.
NSA advises security pros to use designated enterprise DNS resolvers to lock down DoH on corporate networks. @mjb CreativeCommons (Credit: CC BY-NC-ND 2.0)

The National Security Agency is recommending that security teams use designated DNS resolvers to lockdown DNS over HTTPS (DoH), effectively preventing eavesdropping, manipulation and exfiltration of DNS traffic.

While using DoH with external resolvers (servers that receive DNS queries) can work for home or mobile users and networks that do not use DNS security controls, for enterprise networks, NSA guidance released Thursday recommends using only designated enterprise DNS resolvers to leverage enterprise security defenses, facilitate access to local network resources, and protect internal networks

Previously, DNS lookups were generally unencrypted to accommodate networks tasked with directing traffic to the right locations. DoH encrypts DNS requests by using HTTPS to provide privacy, integrity, and “last mile” source authentication with a client’s DNS resolver.

DoH can help protect the privacy of DNS requests and the integrity of responses, but enterprises that use DoH will lose some of the control needed to govern DNS usage within their networks unless they deploy only their “chosen” DoH resolver, the agency cautioned. The enterprise DNS resolver deployed by an organization may be either an enterprise-operated DNS server, or an externally hosted service. Either way, the enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked.

Following NSA recommendations, organizations using DoH to lock down DNS requests should:

  • Only use the enterprise DNS resolver and disable all others.

If an enterprise wants to use DoH, ensure that the DoH clients only send queries to the enterprise DNS resolver. Disable and block all other DoH resolvers. To disable all other DoH on an enterprise network, configure network security devices at the enterprise gateway to block known DoH resolvers so hosts cannot circumvent DNS security controls and cyber threat actors cannot easily use it to hide their actions.

  • Block unauthorized DoH resolvers and traffic.

Enterprise administrators should understand the limitations of DHCP for devices connecting to their network. If clients use their own default DoH resolver, the clients will attempt to send DoH requests to that resolver first before the DNS resolver from the DHCP configuration gets used. An enterprise that chooses to disable DoH should block known DoH resolver IP addresses and domains so devices on the network will fail to resolve a domain name using DoH and usually revert back to traditional DNS, going through the DNS resolver assigned by DHCP.

  • Tap [[or rely on]] host and device DNS logs.

Enterprises that want to use DoH should not rely solely on network monitoring tools to inspect DNS traffic. DNS logging on all network devices and hosts can increase the network visibility that’s lost with less DNS network monitoring capability. Supplement DNS protection with threat reputation services on a firewall or through an intrusion detection system to help keep up with increasing and changing malicious domains and block known bad traffic.

  • Consider a VPN for additional privacy protection.

Enterprises that are concerned with passive surveillance may use virtual private networks (VPNs) or proxies to keep their traffic more private, especially in mobile and teleworking environments. Enterprises that decide to use DoH should avoid using obsolete TLS. Only use current TLS versions to protect against issues in the underlying HTTPS.

  • Validate DNSSEC and use protective DNS capabilities.

Enterprises must understand which parts of the DNS process are DoH-protected and account for the unprotected parts and other vulnerabilities. DoH operates independent from, but compatible with Domain Name System Security Extensions (DNSSEC). Ensure that the enterprise DNS resolver validates DNSSEC to authenticate traffic from other DNS servers. Protective DNS capabilities are an essential part of network defense. When using an external resolver, ensure that the DoH resolver has a reputation for security and reliability.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.