Implementing CISA’s Encrypted DNS Guidance: What it Means for Federal Agencies?

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued detailed guidance on implementing Encrypted DNS for Federal agencies, aligning with the Federal Zero Trust Strategy as mandated by OMB Memorandum M-22-09. M-22-09 requires agencies to encrypt DNS traffic and to use CISA’s Protective DNS (PDNS) for egress DNS resolution.

This blog is the first part of a series that explains the key implications of the CISA Guidance for Federal agencies. It also outlines the critical steps and considerations in implementing these requirements.

Requirements at a Glance

The CISA Guidance outlines the implementation guidelines to help ensure the following:

1. Agency DNS infrastructure uses CISA’s Protective DNS service as their upstream provider.
2. Agency networks are configured to prevent endpoint devices and applications from directly communicating with third-party DNS providers, whether using traditional DNS protocols or the new encrypted DNS protocols.
3. Agency DNS infrastructure supports the use of encrypted DNS when communicating with agency endpoints, where technically supported.
4. That agency roaming or nomadic endpoints are configured to resolve endpoint DNS requests through either agency internal DNS infrastructure or Protective DNS (using Secure Access Service Edge (SASE) and/or Security Service Edge (SSE) or similar solutions). Alternatively, agencies may require roaming or nomadic endpoints to VPN into agency environments to ensure they perform appropriate DNS resolution – though this may cause performance problems for those endpoints.
5. Agency cloud deployments are, where technically supported, configured to use authorized DNS providers (i.e., agency internal DNS infrastructure or Protective DNS) with encrypted DNS protocols, and to prevent unauthorized DNS traffic to third-party DNS providers.
6. Agency on-premises endpoints have policies configured to ensure their applications and operating systems are using authorized DNS configurations (i.e., encrypted DNS with agency internal DNS infrastructure, or SASE/SSE solutions) and policies that explicitly disable application-level DNS resolution unless using agency internal DNS infrastructure.

Key Implications And Recommendations

On-premise DNS health and security assessment

DNS infrastructure is mission-critical. If it fails, the entire networks, along with their applications and users, can be brought down. However, in many federal agencies, DNS infrastructure is not regularly assessed. The CISA Guidance on DNS Security is a compelling event to re-assess DNS infrastructure and ensure its security and cyber resilience.

For instance, Windows Servers are commonly used to host DNS and DHCP alongside Active Directory. To meet the CISA Guidance, this setup needs to evolve as Windows Servers do not provide DNS encryption from its Windows-based DNS server to CISA’s PDNS server. A dedicated DNS Server from vendors like Infoblox can provide this capability with the additional benefit of greatly enhancing cyber resilience through the separation of mission critical duties (identity vs network services). Without this separation of duties, if an attacker follows a common escalation path and targets Active Directory, this puts the DNS service and the network it relies on at risk. As DNS takes on a more significant role in the Federal Government’s cyber security strategy, a dedicated DNS Server will be essential to the evolving encryption, threat protection, and resiliency requirements, allowing Agencies to implement the CISA Guidance and best practices.

If you are already running on a mission specific DNS Server, we recommend a sizing evaluation as encrypted DNS protocols will significantly increase the computational burden on the DNS server. It would also be an opportune time to evaluate the health and configuration of the server to ensure the agency’s DNS infrastructure is optimized to support the needs of the CISA PDNS integration and to secure what is a foundational element of the agency’s IT infrastructure.

If you would like assistance in assessing the health and security of your current infrastructure, reach out to your Infoblox team who can provide a health and security assessment.

DNS as a security asset

The CISA Protective DNS leverages threat intelligence to proactively block DNS resolutions to known malicious domains. DNS was selected as the enforcement platform because of its inherent scalability and its effectiveness to block a wide range of attacks. With the vast majority of malware fundamentally reliant on DNS, an agency’s DNS platform must become a foundational infrastructure in any malware mitigation strategy.

These same principles can and should be applied to the on-premise agency networks because Protective DNS deployed on-premises enables the agencies to block closer to the impacted endpoint clients. This makes identification and remediation of those clients much easier and efficient. The CISA Protective DNS alone will not provide agencies with this capability.

By deploying Response Policy Zones (RPZ), a feature available in the DNS standard since 2010, agencies have an automated mechanism to proactively block and remediate threats. Infoblox has developed highly effective threat intelligence designed specifically to operate on DNS servers, optimized for both coverage and low false positives.

Zero Trust DNS & SASE Integration

The Zero Trust strategy mandates the protective DNS service to integrate with other security platforms including Secure Access Service Edge (SASE) solutions. With DNS being the first networking service in the Zero Trust service chain, it is important to consider how encrypted DNS clients can seamlessly transition from the Protective DNS services to these other platforms in a robust, highly available manner. By working with your on-premise DNS vendor, a well architected DNS deployment can ensure that any loss of connectivity to the CISA Protective DNS can seamlessly fail over to back up DNS or SASE services.

In addition, with the deployment of on-premise protected DNS services, there are other opportunities to trigger automated downstream actions in other platforms in the agencies’ security stack. Examples include triggering targeted vulnerability scans and quarantining of impacted devices. This can help address malware that spreads laterally across the agencies’ network which cannot be addressed by CISA’s Protective DNS alone.

Conclusion

In conclusion, the implementation of encrypted DNS protocols, as mandated by the OMB Memorandum M-22-09 and supported by CISA’s guidance, represents a critical step towards Zero Trust cybersecurity strategy for Federal agencies. The transition to encrypted DNS will require careful evaluation of the existing on-premise DNS infrastructure for successful integration. However, this transition presents a great opportunity for the Federal agencies to leverage the same concepts to not only align with CISA’s Protective DNS but leverage similar capabilities to improve protection, visibility and operational incident response.

As agencies move forward with these initiatives, it is essential to stay informed about the latest technological advancements and best practices. By adopting these best practices, Federal agencies can redesign a robust, secure, and efficient DNS architecture, aligning with the broader goals of the National Cybersecurity Strategy and Zero Trust security architectures.

For Additional Information