Security News > 2021 > January > NSA Publishes Guidance for Enterprises on Adoption of Encrypted DNS
The National Security Agency on Wednesday published guidance for businesses on the adoption of an encrypted domain name system protocol, specifically DNS over HTTPS. Designed to translate the domain names included in URLs into IP addresses, for an easier navigation of the Internet, DNS has become a popular attack vector, mainly because requests and responses are transmitted in plaintext.
"Using DoH with external resolvers can be good for home or mobile users and networks that do not use DNS security controls. For enterprise networks NSA recommends using only designated enterprise DNS resolvers in order to properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources, and protect internal network information," the NSA notes.
Enterprises can use either own-operated DNS servers or external services, but support for encrypted DNS requests such as DoH is crucial for ensuring local privacy and integrity protections, NSA notes.
The agency also recommends disabling other encrypted DNS resolvers and ensuring that all DNS traffic, either encrypted or not, is sent to the designated enterprise DNS resolver only.
"However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure," the agency explains.
The newly published NSA guidance not only provides information on how DNS and DoH work, but also details the purpose behind the DoH design, as well as why enterprise networks should be appropriately configured to add benefits to DNS security controls.