“Encrypted DNS Implementation Guidance,” a detailed document from the Cybersecurity and Infrastructure Security Agency (CISA), tells government agencies how to improve their cybersecurity by using encrypted Domain Name System (DNS) protocols.
This advice is in line with Memorandum M-22-09 from the Office of Management and Budget (OMB), which lays out a “zero trust” cybersecurity plan for departments in the Federal Civilian Executive Branch (FCEB).
The document, which was released in April 2024, explains in great detail how federal agencies must meet federal requirements for encrypting DNS data.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
As required by M-22-09 and 6 U.S.C. § 663 Note, Agency Responsibilities, it stresses using CISA’s Protective DNS feature for all outgoing DNS resolve.
The guidelines help agency network professionals use the most up-to-date technology tools to protect DNS infrastructure.
OMB posted Memorandum M-22-09, the Federal Zero Trust Strategy, on January 26, 2022, to back up Executive Order 14028, “Improving the Nation’s Cybersecurity.”
This plan requires all DNS traffic within FCEB agencies to be encrypted by FY24. The document’s goal is to help agencies use encrypted DNS protocols that align with these zero-trust concepts.
Checklist for Agency Implementation
The advice lists the most important rules and recommended methods for encrypting DNS data and using CISA’s Protective DNS for upstream DNS resolution.
Setting up the agency’s DNS infrastructure to handle encrypted DNS protocols is one of the most critical points.
Phased Implementation
Given the complexity of transitioning to encrypted DNS, the guidance recommends a phased approach:
The document gives thorough technical instructions on how to use CISA’s Protective DNS service and encrypt DNS. It
talks about ways to encrypt DNS data, like DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC.
It also talks about how Protective DNS can be used to stop endpoints from resolving malicious names.
Implementation advice for web browsers, operating systems, and DNS servers that are unique to each vendor is included in Appendix A.
It tells you exactly how to set up Firefox, Chrome, Safari, Microsoft Windows, macOS, iOS/iPadOS, BIND DNS Server, Microsoft DNS Server, Azure Private DNS Server, and Infoblox DNS Appliance so that they can handle encrypted DNS protocols.
The “Encrypted DNS Implementation Guidance” from CISA is very important for government agencies that want to improve their security by using encrypted DNS protocols.
Even though it’s mostly for FCEB agencies, other groups may find it useful for zero-trust attempts. The guidance paper is marked so that anyone can see it and share it without any problems.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
A critical authentication bypass vulnerability in SonicWall firewalls, tracked as CVE-2024-53704, is now being actively…
Researchers have identified a new backdoor malware, written in Go programming language, that leverages Telegram…
A recently discovered Python script has been flagged as a potential cybersecurity threat due to…
A website launched by Elon Musk's Department of Government Efficiency (DOGE) has been found to…
The notorious Lazarus Group, a North Korean Advanced Persistent Threat (APT) group, has been linked…
Job seekers have become the target of a sophisticated ransomware campaign in a recent cybersecurity…