Skip to main content
close search
site logo
Dive Brief

Use enterprise-grade tools for encrypted DNS, the NSA warns

Published Jan. 15, 2021
Naomi Eide's headshot
Managing Editor
Getty Images

Dive Brief:

  • As the internet transitions toward encrypted DNS, the National Security Agency (NSA) is warning businesses to use only enterprise-grade tools, bypassing third-party solutions, many of which are freely available, according to NSA guidance released Thursday
  • DNS traditionally translates domain names to IP addresses, but the transactions are unencrypted to properly direct the flow of traffic. DNS over HTTPS (DoH) is a privacy upgrade for web traffic, serving as a "last mile" source authentication for a DNS resolver, preventing "eavesdropping and manipulation of DNS traffic," according to the NSA. 
  • Though the technology has its merits, the NSA cautions enterprises using DoH "will lose some of the control needed to govern DNS usage within their networks unless they allow only their chosen DoH resolver to be used."

Dive Insight:

The whole point of using DOH is to prevent a threat actor from intercepting, manipulating and snooping on the traffic between a client and its DNS resolver, the NSA said. If the transaction instead uses a standard DNS, the request is made in plaintext.

In its warning, the NSA is making a distinction between enterprise-grade and consumer-friendly DoH offerings. DNS resolvers are free for public use that add protections, such as blocking malicious sites and "family-oriented filters." 

It's an issue of governance. Unless only an enterprise tool is used, businesses will lose some of the control governing DNS usage on their networks. 

By using enterprise-grade DNS security controls, businesses can "properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources and protect internal network information," the NSA said. 

The move toward DoH is happening throughout the internet. Last year, privacy-minded browser Mozilla enabled DoH by default in the U.S., a move Facebook began piloting in 2018

The guidance from NSA is for businesses to only use a designated enterprise-grade DNS resolver, disabling all others. The move is seen as a tradeoff — "the loss of enterprise security controls outweighs the protections offered by DoH, so NSA recommends that enterprises disable encrypted DNS within their network and continue to use only the enterprise DNS service."

The goal is for any enterprise using DoH to ensure queries are only sent to the enterprise DNS resolver, disabling web browsers, applications and operating systems supporting DoH. Some browsers make this a standard offering. If an enterprise policy is in place, Firefox and Chrome automatically disable DoH, according to the NSA.

Recommended Reading

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell