CISA to inform agencies of DNS traffic anomalies
The Cybersecurity and Infrastructure Security Agency plans to start sending agencies regular reports informing them of potential Domain Name System traffic anomalies to improve their defenses.
DNS translates internet domains for computers to retrieve content, and most agencies are legally required to use CISA’s EINSTEIN 3 Accelerated (E3A) DNS sinkholing capability, which overrides harmful, public DNS records — preventing users from accessing malicious infrastructure.
While most agencies do, CISA issued a memo Thursday reminding them of their responsibility in light of the increase in coronavirus-related telework.
“In most instances where agencies bypass our protections, the reasons for non-use are well-intentioned,” wrote Bryan Ware, assistant director of CISA, in a blog. “Indeed, we know that in some circumstances, agencies seek to take advantage of protections we don’t offer, or account for cases that are operationally difficult for us to support.”
Those cases include direct use by mobile devices and cloud infrastructure, as well as both encrypted DNS resolution protocols: DNS over a Hypertext Transfer Protocol Secure connection (DoH) and DNS over a Transport Layer Security connection (DoT). Recently Mozilla and Google announced plans to enable DoH in their browsers, Firefox and Chrome respectively.
CISA’s memo isn’t in response to those developments, but the document encourages encrypting network communications by default. The agency intends to support DoH and DoT in time.
Agencies are instead advised to:
- Ensure local DNS recursive resolvers use E3A as their primary upstream DNS resolver
- Use well-known public resolvers as fallbacks
- Configure policy enforcement points to drop all inbound and outbound IPv4 and IPv6 traffic on port 53 when connecting to unauthorized DNS infrastructure
- Drop all inbound and outbound IPv4 and IPv6 DoT traffic on port 853, unless CISA is notified it’s supporting mission needs
- Disable DoH use by installed browsers until CISA makes it available
- Review and confirm CISA reports highlighting potential DNS traffic anomalies
CISA may issue a directive six months after the memo, if further action is needed.