NSA, DHS Issue Guidance on Protective DNS
The U.S. National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) this week published joint guidance on Protective DNS (PDNS).
Designed to translate domain names into IP addresses, the Domain Name System (DNS) is a key component of Internet and network communications.
Protective DNS was designed as a security service that leverages the DNS protocol and infrastructure for the analysis of DNS queries and mitigation of possible threats.
Attacks involving domain names may take various forms, including typosquatting, links in phishing emails, connecting compromised devices to remote command and control servers, and data exfiltration to remote hosts.
“The domain names associated with malicious content are often known or knowable, and preventing their resolution protects individual users and the enterprise,” the NSA and CISA note.
Both the NSA and CISA have previously issued documents related to the mitigation of DNS-related issues, and the new guidance is meant to provide further details on the benefits and risks of protective DNS services.
PDNS, the joint guidance says, relies on a policy-implementing DNS resolver – often called Response Policy Zone (RPZ) functionality – which checks both domain name queries and returned IP addresses to prevent connections to malicious sites.
“PDNS can also protect a user by redirecting the requesting application to a non-malicious site or returning a response that indicates no IP address was found for the domain queried,” the two agencies explain.
To set up PDNS, an organization can simply modify its recursive resolver to rely on the PDNS provider’s DNS server. However, software changes on hosts are required for more complex and secure PDNS deployments, the NSA and CISA say.
Some of the outlined best practices regarding PDNS involve the use of a PDNS system as part of a layered defense-in-depth strategy, blocking unauthorized DNS queries, and taking into consideration hybrid enterprise architectures.
The joint document also provides assessments of several commercial PDNS providers, so that organizations are better informed when making decisions. The assessment is based on publicly available information about enterprise PDNS services, not on formal testing, and is not meant as a purchase recommendation.