The NSA recommends that organizations not rely on third-party DNS resolvers to provide encrypted DNS over HTTPS (DoH) services. This recommendation encourages organizations to implement DoH on internal corporate DNS servers instead, in order to gain better control and visibility of DNS requests from internal systems and detect misuse by malware or threat actors. If all DNS requests flow through a corporate-managed server, the requests and responses can be logged to be used by security products and analysts to search for suspicious patterns of DNS use, or to block known malicious domains. Whether or not an organization utilizes DoH to encrypt DNS requests, the NSA recommends that all DNS traffic be fed to only internal resolvers, and to actively block connections from internal systems to known external DoH service providers. Modern web browsers offer users the ability to easily set up DoH with free external providers, but that feature should be blocked by domain administrators through Group Policy.
This advice comes in a long line of recommendations by the NSA and The Cybersecurity and Infrastructure Security Agency (CISA) to private and public sector IT teams. Last year, U.S. agency CIOs were reminded and recommended to disable DoH and utilize an internal DNS service. Security and IT teams need to consider this advice and the consequences of these decisions as DNS is utilized at every level in enterprise infrastructure. No matter what decision is made, the choice will be consequential for security and IT teams. From a security perspective, being able to control what domains are resolved can enable teams to be proactive to block and quickly reference logs when malicious domain resolutions are detected. However, offloading DNS resolvers are not uncommon as more organizations outsource IT infrastructure more and more. Regardless of what choices are made, understanding the NSA’s lists as potential implications ought to be considered seriously.