The NSA recommends that organizations not rely on third-party DNS resolvers to provide encrypted DNS over HTTPS (DoH) services. This recommendation encourages organizations to implement DoH on internal corporate DNS servers instead, in order to gain better control and visibility of DNS requests from internal systems and detect misuse by malware or threat actors. If all DNS requests flow through a corporate-managed server, the requests and responses can be logged to be used by security products and analysts to search for suspicious patterns of DNS use, or to block known malicious domains. Whether or not an organization utilizes DoH to encrypt DNS requests, the NSA recommends that all DNS traffic be fed to only internal resolvers, and to actively block connections from internal systems to known external DoH service providers. Modern web browsers offer users the ability to easily set up DoH with free external providers, but that feature should be blocked by domain administrators through Group Policy.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased