Security News > 2021 > January > NSA advises companies to avoid third party DNS resolvers
The US National Security Agency says that companies should avoid using third party DNS resolvers to block threat actors' DNS traffic eavesdropping and manipulation attempts and to block access to internal network information.
NSA's recommendation was made in a new advisory on the benefits of using DNS over HTTPS in enterprise environments, an encrypted domain name system protocol that blocks unauthorized access to the DNS traffic between clients and DNS resolvers.
Companies are suggested to use their own enterprise-operated DNS servers or externally hosted services with built-in support for encrypted DNS requests such as DoH. "However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure," the NSA added [PDF].
Last year, US government agencies' CIOs were recommended to disable third-party encrypted DNS services until an official DNS resolution service with DoH and DNS over TLS support would be available.
CISA also reminded that agencies are legally required to use the EINSTEIN 3 Accelerated DNS service on all devices connected to federal agency networks as the primary upstream DNS resolver for all local DNS recursive resolvers.
DoH allows DNS resolution requests over encrypted HTTPS connections, while DoT will encrypt and wrap all DNS queries using the Transport Layer Security protocol instead of using insecure plain text DNS lookups.