CISA debuts encrypted DNS implementation guidance for federal agencies aligned with zero trust strategy
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released Encrypted Domain Name System (DNS) Implementation Guidance for federal civilian executive branch (FCEB) agencies to meet encryption requirements for DNS traffic and enhance the cybersecurity resilience of their IT networks. The guidance aligns with the Office of Management and Budget (OMB) Memorandum M-22-09 and the Zero Trust principles of the National Cybersecurity Strategy. It provides FCEB agencies with direction on implementing encrypted DNS protocols in line with M-22-09, emphasizing the advancement of the U.S. Government towards Zero Trust Cybersecurity Principles.
Traditionally, DNS protocol has not supported methods for ensuring the confidentiality, integrity, or authenticity of requests for information or responses. M-22-09 specifically calls for agencies to encrypt DNS traffic where technically feasible while statutory mandates require agencies to use CISA’s Protective DNS capability for egress DNS resolution. The guide will assist agencies with implementing currently feasible technical capabilities for agency networks, DNS infrastructure, on-premises endpoints, cloud deployments, and roaming, nomadic, and mobile endpoints.
“As the operational lead for federal cybersecurity, CISA developed this guide to assist federal agencies with understanding and implementing key actions and protocols to begin encrypting DNS traffic,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a media statement. “This guide will help agencies progress further in their zero trust security journey. CISA continues our efforts and collaboration with agencies to modernize federal agency cybersecurity successfully and securely.”
The guidance has been designed to guide agency network practitioners and assist with the implementation of currently feasible technical capabilities to help ensure agency DNS infrastructure uses CISA’s Protective DNS service as their upstream provider; agency networks are configured to prevent endpoint devices and applications from directly communicating with third-party DNS providers, whether using traditional DNS protocols or the new encrypted DNS protocols. It also addresses agency DNS infrastructure that supports the use of encrypted DNS when communicating with agency endpoints, where technically supported.
Furthermore, it prescribes that the agency roaming or nomadic endpoints are configured to resolve endpoint DNS requests through either agency internal DNS infrastructure or Protective DNS (using Secure Access Service Edge (SASE) and/or Security Service Edge (SSE) or similar solutions). Alternatively, agencies may require roaming or nomadic endpoints to VPN into agency environments to ensure they perform appropriate DNS resolution – though this may cause performance problems for those endpoints.
The guidance also seeks to ensure that agency cloud deployments are, where technically supported, configured to use authorized DNS providers (i.e., agency internal DNS infrastructure or Protective DNS) with encrypted DNS protocols, and to prevent unauthorized DNS traffic to third-party DNS providers; and agency on-premises endpoints have policies configured to ensure their applications and operating systems are using authorized DNS configurations (i.e ., encrypted DNS with agency internal DNS infrastructure, or SASE/SSEE solutions) and policies that explicitly disable application-level DNS resolution unless using agency internal DNS infrastructure.
To help agency personnel understand the requirements and engage in the transition work, this document provides an implementation checklist providing a non-prioritized, high-level view of the required changes, with individual action items organized by asset category. It also includes phased implementation recommendations to help prioritize implementation of the checklist, and technical guidance and references to support the implementation of the changes in the checklist.
The DNS implementation guidance outlines possible ways to meet the requirements based on the current agency and vendor landscapes as well as the current functionality available in CISA’s Protective DNS. While the document is primarily intended for FCEB agencies, other organizations may find it a useful resource for their zero trust efforts.
This guidance is focused on what is feasible action by agencies based on current agency and vendor landscapes as well as current functionality available from CISA’s Protective DNS. With that focus, it assumes that not all technologies currently deployed on FCEB networks support encrypted DNS protocols and many only support traditional unencrypted DNS protocols; and protective DNS is only directly accessible by agency DNS resolution infrastructure and (because of the lack of authentication mechanisms in the existing protocols) is not directly accessible from individual user endpoints.
It also assumes that agency on-premises internal DNS resolution services are not directly accessible by roaming and nomadic endpoints operating in off-premises environments. The guidance does not address the agency’s authoritative DNS infrastructure nor DNS traffic between recursive resolvers and the authoritative servers. If these assumptions do not hold for a given agency, it may be able to meet the objectives of this guidance using different approaches than described in the guidance. If an agency selects a different approach, agencies will need to ensure that the approach meets all of the specified objectives.
Given the complexity of transitioning an existing agency enterprise to using encrypted DNS and Protective DNS, agencies may consider a phased approach, transitioning portions of their enterprise over time. While agency considerations will drive the best approach, agencies should prioritize preventing the usage of unauthorized DNS providers, implementing Protective DNS protections, and encrypting DNS for roaming and nomadic endpoints.
Earlier this month, CISA announced that 68 software manufacturers have voluntarily committed to its Secure by Design pledge. The initiative aims to enhance product security by incorporating security measures during the design phase. By participating in the pledge, these manufacturers are dedicated to working towards the outlined goals. The Secure by Design pledge represents a significant advancement in CISA’s initiative to promote secure product design.
Related
