The White House Executive Order: Requiring DNS as a Frontline Security Control

Share On Facebook
Share On Twitter
Share On Linkedin

On January 16, 2025, the White House issued a comprehensive Executive Order (EO) aimed at strengthening and promoting the Nation’s cybersecurity. The EO includes specific measures to:

  • Improve accountability for software and cloud service providers
  • Strengthen the security of Federal communications and identity management systems
  • Promote innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies

Noteworthy among the key measures introduced is the requirement for encrypted DNS protocols that ensure the confidentiality and integrity of DNS traffic. This recognizes DNS as a critical frontline security control, emphasizing its significance in cybersecurity defense-in-depth strategy.

Why Encrypted DNS Matters

DNS is often referred to as “the phonebook of the internet,” translating human-readable domain names into IP addresses. The original intent of DNS was to distribute information such as host and IP address mappings, mail routing information, etc., so it has not traditionally been viewed as a tool for securing network communications. However, the role DNS plays in enabling nearly all network communications today makes it an effective tool for not only monitoring but also for managing those communications. Encrypted DNS provides one such mechanism for DNS to serve as a security control.

Traditional DNS queries are transmitted in plaintext, making them vulnerable to interception and manipulation. Encrypting DNS traffic (through protocols such as DNS over HTTPS (DoH) and DNS over TLS (DoT)) enhances security by:

  1. Protecting Confidentiality: Ensuring that DNS queries cannot be intercepted and used to monitor users’ browsing activities.
  2. Preserving Integrity: Preventing malicious actors from redirecting users to fraudulent websites via DNS spoofing.

This requirement builds upon the requirements set forth in the prior Office of Management and Budget’s (OMB) Memorandum M-22-09 and CISA’s Encrypted DNS Implementation Guide, which requires the federal Civilian Executive Branch (FCEB) agencies’ DNS infrastructure to support the use of encrypted DNS when communicating with agency endpoints, wherever technically supported.

Key Requirements on Encrypted DNS under the EO

The specific requirements for encrypted DNS are as follows:

  1. Within 90 days, the Secretary of Homeland Security, acting through the Director of CISA, will draft template contract language requiring any DNS resolver (whether client or server) used by federal agencies to support encrypted DNS. This language will be submitted to the Federal Acquisition Regulation (FAR) Council, which has 120 days to review and take steps to amend the FAR.
  2. FCEB agencies are required to enable encrypted DNS protocols:
    • On existing clients and servers that support these protocols within 180 days; and
    • On additional clients and servers supporting such protocols within 180 days.

Challenges and Opportunities

Encrypted DNS requires additional computing resources particularly on DNS servers, because of the need to perform encryption and decryption when sending and receiving DNS messages. Agencies should anticipate this and ensure that their DNS servers have sufficient resources to handle the query load before beginning any widespread deployment of encrypted DNS. Failure to properly implement encrypted DNS could bring down the entire networks, along with their applications and users.

The use of encrypted DNS may also make troubleshooting more difficult because IT staff using network troubleshooting tools won’t have ready access to the contents of DNS queries or responses. The contents of DNS queries and responses will still be available to IT staff on the name servers themselves, of course, because those name servers will have performed the requisite decryption.

However, the benefit of encrypted DNS outweighs these challenges.

To overcome these challenges and ensure cyber resiliency, agencies and organizations should limit the co-existence of multiple mission-critical services on a single system. This separation of duties will ensure the highest possible resilience, given the increased computational requirements. The infrastructure hosting the DNS service should be dedicated to that task and hardened for this purpose to reduce the attack surface and ensure that adequate system resources are available to the DNS service. The infrastructure should include sufficient capacity for elements of the DNS service such as logging, support of encrypted DNS protocols and Protective DNS, where applicable. This may be easier to accomplish on purpose-built DNS services, either as-a-service or via virtual or physical appliances.

Implications for Federal Agencies

As agencies move forward with these initiatives, it is essential to stay informed about the latest technological advancements and adopt best practices, including:

  • Auditing their existing DNS infrastructure to evaluate the health and configuration of the servers and clients to ensure they are optimized to support encrypted DNS protocols
  • Planning and executing the implementation of these protocols across their networks for both external and internal DNS servers
  • Collaborating with vendors and service providers to ensure compliance with the new requirements

How Infoblox Can Help

As a leader in secure DNS solutions, Infoblox is uniquely positioned to assist federal agencies in meeting these new requirements. Our solutions are:

  • Comprehensive: Support for DoH, DoT and advanced threat intelligence for both internal and external DNS servers that are on-premises, in the cloud or a combination thereof
  • Scalable: Ensuring agencies can deploy encrypted DNS protocols across large and complex networks
  • Easy to Deploy: Simplifying the transition to encrypted DNS with minimal disruption

Takeaway

This Executive Order marks an important step in the fight against cybercrime targeting DNS infrastructure. By mandating encrypted DNS, the federal government is setting a high standard for cybersecurity resilience, with ripple effects expected across industries. Infoblox is proud to support this mission, delivering the tools and expertise necessary to secure the foundation of the internet.

For Additional Information

For more information on how Infoblox can help your organization implement encrypted DNS, visit our blog or contact us at https://info.infoblox.com/contact-form/.

Agencies should contact the Infoblox team at scsprogram@infobloxfederal.com or their account representatives directly for additional information.

To learn more about Trinzic X6:
https://www.infoblox.com/products/infoblox-appliances/

To learn more about Advanced DNS Protection (ADP) that support DoT and DoH:
https://www.infoblox.com/products/advanced-dns-protection/

To learn more about Infoblox’s threat intelligence:
https://www.infoblox.com/threat-intel/

To learn more about Infoblox Threat Defense:
https://www.infoblox.com/products/threat-defense/

To learn more about Infoblox’s Cyber Security Ecosystem:
https://www.infoblox.com/solutions/security-ecosystem/

To learn more about the White House press release on the new EO: https://www.whitehouse.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/

Labels:

Dave Signori

VP of product management at Infoblox

VP of product management at Infoblox, the global leader in DNS, DHCP, and IP Address Management (DDI) supporting these services in 350 of the Fortune 500. Product management responsibilities for the Core DDI and network automation product lines. This includes DDI as well as discovery, hybrid cloud, traffic management, Microsoft management, analytics and NetMRI. Founding member of two successful start-ups including Emprisa Networks where as CTO held engineering, product management, pre-sales and professional services responsibilities. After Emprisa was acquired by BMC Software in 2007, stayed on at BMC as a director in product management for network automation, cloud life cycle management, and orchestration. Spends free time with family, travel, and playing in a classic rock ‘dad’ band.

View All Posts

You might also be interested in

You might also be interested in

×