CISA reiterates DNS resolution requirements
- By Derek B. Johnson
- May 04, 2020
The Cybersecurity and Infrastructure Security Agency is reminding agencies to use Domain Name System resolution services provided by CISA.
The global DNS system translates website URLs into their corresponding IP addresses. However, an attacker can interfere with that translation to reroute internet traffic away from its intended destination, instead sending users to fake or spoofed websites where they can be eavesdropped on or tricked into downloading malware or revealing personal information.
In a memo dated Apr. 21, CISA Director Chris Krebs reiterated that civilian agencies are legally required to use sinkholing capabilities through EINSTEIN 3 Accelerated as their primary upstream DNS resolving service.
According to a Privacy Impact Assessment drafted in 2016, EINSTEIN 3 Accelerated's sinkholing capability “prevent[s] malware installed on .gov networks from communicating with known or suspected malicious Internet domains by redirecting the network connection away from the malicious domain to 'safe servers ... thus preventing further malicious activity by the installed malware."
Krebs also highlighted recent security updates to several popular browsers, such as Chrome and Firefox, that impact how they resolve such disputes while more broadly incorporating two widely adopted security protocols – DNS over Hypertext Transfer Protocol Secure (HTTPS) and DNS over Transport Layer Security (TLS). CISA is working to make its DNS resolution services compatible with both, but until then agencies are required to use EINSTEIN 3 Accelerated as their primary tool. Agencies are permitted to utilize other services as backup options.
In a related blog post, Bryan Ware, assistant director of cybersecurity and communications, noted that Einstein 3 Accelerated is already in place in most agencies, but "particularly in light of increased telework, we felt it worth reiterating."
"We also recognize that increased use of encrypted DNS resolution will require many enterprises -- including ours! -- to update how they protect their users from malicious DNS traffic," Ware stated. "We accept and support that, and we're working to offer better services to the executive branch that are easier to use."
The memo noted that CISA will begin issuing reports to agencies highlighting DNS traffic anomalies and will re-evaluate the status quo in six months, at which time the agency may issue a follow-up emergency or binding operational directive.
CISA's concerns about domain name manipulation are more than theoretical: It put out an emergency directive last year ordering agencies to shore up their DNS protections and reporting as evidence emerged that multiple state-sponsored hacking groups were conducting campaigns to tamper with the global DNS system.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.