Author: Bryan Ware, Assistant Director, Cybersecurity and Infrastructure Security Agency (CISA)
At the start of nearly all network communication is a DNS request. DNS, or the Domain Name System, translates domain names people know – like cisa.gov – into the numbers computers use to retrieve content on the internet. If that translation is managed by a trusted partner, it can be used for positive security outcomes, like neutralizing evil-coronavirus-scam.com by safely redirecting a user headed there.
Because DNS can be used to such great effect, most Federal agencies in the executive branch are required to use the DNS resolution services that CISA provides. Without it, they lose the cybersecurity protections we offer and CISA loses the insight that would improve defenses for the enterprise.
CISA has issued a memo reminding agencies of their responsibilities to use EINSTEIN 3 Accelerated, our DNS service. The vast majority of agencies already do this, but particularly in light of increased telework, we felt it worth reiterating. In most instances where agencies bypass our protections, the reasons for non-use are well-intentioned. Indeed, we know that in some circumstances, agencies seek to take advantage of protections we don’t offer, or account for cases that are operationally difficult for us to support. This includes direct use by mobile devices and cloud infrastructure, as well as encrypted DNS resolution services, like DNS over HTTPS and DNS over TLS.
We want to be clear here: this memo isn’t a response to encrypted DNS resolution. As Director Krebs says in our memo:
"CISA encourages efforts to make network communications encrypted by default. Doing so increases user security, making it harder for attackers to monitor and modify communication".
In the last few months, there’s been a lot of talk about Mozilla and Google’s approaches to offering or supporting DNS over HTTPS in their browsers, Firefox and Chrome. CISA believes the approaches they and others take are thoughtful, and can increase the security and privacy of their users. We also recognize that increased use of encrypted DNS resolution will require many enterprises — including ours! — to update how they protect their users from malicious DNS traffic. We accept and support that, and we’re working to offer better services to the executive branch that are easier to use.
In the meantime, our memo makes a few recommendations for how agencies can better abide by the requirement to use the services we offer now, while maintaining good security and resiliency. We will also begin providing regular reports to agencies highlighting where bypass is occurring, and work with them to improve our understanding of the many and varied ways the federal workforce use their devices in service to the public.