CISA Urges Federal Agencies to Use Approved DNS ServiceAgency Planning to Support Newer Encryption Technology in the Future
The U.S. Cybersecurity and Infrastructure Security Agency is reminding government agencies to continue using an approved DNS resolution service at a time when a large portion of the federal workforce has been shifted to home offices because of the COVID-19 pandemic, according to a memo released by Director Christopher Krebs this week.
CISA, which is part of the U.S. Department of Homeland Security, issued the memo Thursday to remind government CIOs that they have a legal obligation to continue to use the approved EINSTEIN 3 Accelerated (E3A) DNS resolution service for devices that are connected to federal government networks. A resolution service translates IP addresses into domain names.
In addition to other security capabilities, the E3A DNS service provides a sinkholing feature that blocks access to malicious infrastructure by overriding public DNS records that have been identified as dangerous, according to the Krebs memo.
One reason why CISA and Homeland Security are urging agencies now to ensure that they are using the government-sanctioned DNS resolution standard is that a sizable portion of the federal workforce has been forced into telework environments over the past two months because of the global COVID-19 pandemic.
When working from home or remote offices, federal employees may try to connect devices to government networks using unsupported, third-party DNS encryption services, which can open up the infrastructure to hacking or other types of cyber threats since these services are not fully vetted yet, says Bryan Ware, assistant director of CISA. Only the E3A DNS resolution service is currently supported by the U.S. government.
"CISA has issued a memo reminding agencies of their responsibilities to use EINSTEIN 3 Accelerated, our DNS service," Ware notes. "The vast majority of agencies already do this, but particularly in light of increased telework, we felt it worth reiterating. In most instances where agencies bypass our protections, the reasons for non-use are well-intentioned. Indeed, we know that in some circumstances, agencies seek to take advantage of protections we don't offer, or account for cases that are operationally difficult for us to support."
Other DNS Services
While the U.S. government only supports EINSTEIN 3 Accelerated for now, the Krebs memo notes that CISA is encouraging the development of two other Domain Name System services called DNS over HTTPS (DoH) and DNS over TLS (DoT), which are being tested and deployed by private companies and organizations such as Mozilla, Google and Microsoft.
An industry standard for these DoH and DoT, however, has not been published.
DoH allows Domain Name System queries to run over encrypted HTTPS connections to ensure safer and more private browsing. DoT does the much the same, but relies on routing the DNS query through the Transport Layer Security protocol instead of HTTPS.
For years, DNS requests were unencrypted, which made these queries visible to network services providers and ISPs as well as vulnerable to interception by hackers or what is called DNS hijacking. DoH and DoT are attempting to resolve these security issues by using encryption by default.
Privacy organization such as the Electronic Frontier Foundation are also encouraging the development of DoH and DoT services.
And while CISA is supporting these developments, the federal government does not have a DNS resolution service that currently supports DoH and DoT, which is why agencies are being encouraged to continue to use the EINSTEIN 3 Accelerated service for now.
The Krebs memo left open the possible of creating a new DNS resolution services in the future that supports DoH and DoT.
"DoH and DoT add desirable security features to DNS resolution; however, federal agencies that use DNS resolvers other than E3A lose the protection that defensive DNS filtering provides, and E3A does not currently offer encrypted DNS resolution," Krebs notes. "CISA intends to offer a DNS resolution service that supports DoH and DoT in time. Until then, agencies must use E3A for DNS resolution."
While CISA is not supporting DoH and DoT services yet, third parties are beginning to roll out these features on their web browsers and other software services.
In November 2019, for example, Microsoft announced that it would begin to support DoH in Windows, which the company said "will close one of the last remaining plain-text domain name transmissions in common web traffic" (see: Microsoft Moves Toward DNS Over HTTPS).
Mozilla announced in February that it is now using DoH by default in its Firefox browser, although organizations that don't support this encryption service can disable it they choose.
Finally, Google announced in September 2019 that with the release of its Chrome 78 and 79 web browser builds, it would begin limited trials of DoH as well, although a full roll out is not yet scheduled.