Uncle Sam to agencies: No encrypted DNS for you!

2020-05-04 10:52

The DHS's Cybersecurity & Infrastructure Security Agency published a memorandum on April 21 warning agency CIOs that they're legally bound to use its internal EINSTEIN network security system when resolving DNS queries.

The first is DNS over TLS. This uses Transport Layer Security - the successor to SSL - to encrypt the queries directly and verify the server's identity using digital certificates.

DoH and DoT add desirable security features to DNS resolution; however, federal agencies that use DNS resolvers other than E3A lose the protection that defensive DNS filtering provides, and E3A does not currently offer encrypted DNS resolution.

Agencies must use E3A for DNS resolution.

These can include encrypted DNS resolvers in their own infrastructure, or public upstream resolvers.

News URL

https://nakedsecurity.sophos.com/2020/05/04/uncle-sam-to-agencies-no-encrypted-dns-for-you/

#DNS #encrypted