secure network (vs148/

Most agencies secured against DNS tampering, DHS officials say

A "handful" of federal agencies still have yet to fully comply with a January 2019 emergency directive on DNS tampering, according to a Department of Homeland Security official.

At a March 21 meeting of the Information Security and Privacy Advisory Board, Michael Duffy, acting deputy director of the Federal Network Resilience Division, briefed members on the federal government's response to a two-year global DNS tampering campaign uncovered in January.

In early January, Duffy said DHS was initially contacted by an unnamed hosting provider who claimed domains were being maliciously redirected. Cybersecurity and Infrastructure Security Agency  reached out to industry partners and other organizations, who reported back similar feedback.

By Jan.  9, both Cisco Talos and FireEye had published research on a global DNS hijacking campaign affecting governments, telecoms and internet infrastructure entities on multiple continents, including North America. On Jan. 22, DHS issued its first-ever emergency directive, listing four action items for every civilian federal agency: audit internal DNS logs, change associated passwords, implement multi-factor authentication and begin regularly monitoring Certificate Transparency logs.

Duffy confirmed many elements of previous reporting  on what DHS knew about the campaign and the extent of its impact on U.S. government agencies during and immediately after the directive was issued. At the time, he said the department had inconclusive information from outside sources indicating traffic from some agency domains could have passed through compromised domains.

"We did hear from our industry partners that agency domains were swept up as part of a set of information that [indicated] 'I don't know, we see a couple .govs in there,'" said Duffy. "At the time, we didn't know if that meant they had been had or if they were just part of a set of domains that just went through the internet pipeline."

Duffy said the agency now believes no federal agencies were directly impacted by the campaign, echoing remarks made by at CISA Assistant Secretary of Cybersecurity Jeanette Manfra, who said in February that the agency had no evidence indicating any federal domains had been hijacked.

However, he told the board that monitoring for DNS threats across the government across agencies prior to the order was "inconsistent" and that congressional staffers briefed on the matter shortly after the partial government shutdown ended said DHS officials told them they could not be certain agency domains weren't compromised at some point in the past.

In an interview after the briefing, Duffy said CISA is "confident with what agencies have given us" from historical logs since January to make the assessment.

Duffy said there are only "a handful" of agencies left who have yet to complete all four requirements listed in the directive, most of whom are dealing with "external dependencies" on DNS providers and other partners that make it more difficult to implement multifactor authentication.

CISA is still looking for tools and services that would help detect attempts to tamper with agency domains sooner. Its 2020 budget requests $4.4 million to procure a centralized DNS name resolution service.

Duffy said that parameters for what DHS wants the service to provide are still being sketched out, but that it would focus on tracking agency traffic after it left federal networks. Doing so could provide the government with capabilities to detect malicious DNS tampering earlier than by monitoring Certificate Transparency and agency audit logs.

"It's really looking at the DNS egress side of things," Duffy said. "One of the things I mentioned [in the briefing] is that we didn't have the visibility that would have been beneficial to know what was happening, so this service would sit on top of traditional DNS and give us that level of visibility of the DNS traffic and where it's moving."

This article was first posted on FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.