NSA makes recommendations on companies adopting encrypted DNS


Without DNS, the Internet could not function easily, since DNS plays a crucial role in cybersecurity as DNS servers can be compromised and used as a vector for other types of attacks.

En a document Entitled: "Adoption of Encrypted DNS in Business Environments," the National Security Agency (NSA), a government agency of the United States Department of Defense, published several days ago a report on cybersecurity in companies.

The document explains the benefits and risks of adopting the protocol Encrypted Domain Name System (DoH) in corporate environments.

For those who are unfamiliar with DNS, they should know that it is a scalable, hierarchical and dynamically distributed database on a global scale, it provides a mapping between host names, IP addresses (IPv4 and IPv6), name server information, etc.

However, it has become a popular attack vector for cybercriminals as DNS shares their requests and responses in clear text, which can be easily viewed by unauthorized third parties.

The US government's intelligence and information systems security agency says encrypted DNS is increasingly being used to prevent eavesdropping and tampering with DNS traffic.

"With the growing popularity of encrypted DNS, corporate network owners and administrators must fully understand how to successfully adopt it on their own systems," says the organization. "Even if the company hasn't formally adopted them, newer browsers and other software may still try to use encrypted DNS and bypass traditional corporate DNS-based defenses," he said.

The domain name system that uses secure transfer protocol over TLS (HTTPS) encrypts DNS queries to ensure confidentiality, integrity, and source authentication during a transaction with a customer's DNS resolver. The NSA report says that while the DoH can protect the confidentiality of DNS requests and the integrity of the responses, companies that use it will lose, However, some of the control they need when using DNS within their networks, unless they authorize their Resolver DoH as usable.

The DoH corporate resolver can be a company-managed DNS server or an external resolver.

However, if the corporate DNS resolver is not DoH compliant, the enterprise resolver should continue to be used and all encrypted DNS should be disabled and blocked until the capabilities of the encrypted DNS can be fully integrated into the corporate DNS infrastructure.

Basically, The NSA recommends that DNS traffic for a corporate network, encrypted or not, be sent only to the designated corporate DNS resolver. This helps ensure proper use of critical business security controls, facilitates access to local network resources, and protects information on the internal network.

How Enterprise DNS Architectures Work

  • The user wants to visit a website that he does not know is malicious and types the domain name in the web browser.
  • The domain name request is sent to the corporate DNS resolver with a clear text packet on port 53.
  • Queries that violate DNS watchdog policies can generate alerts and / or be blocked.
  • If the domain's IP address is not in the domain cache of the corporate DNS resolver and the domain is not filtered, it will send a DNS query through the corporate gateway.
  • The corporate gateway forwards the DNS query in clear text to an external DNS server. It also blocks DNS requests that are not coming from the company's DNS resolver.
  • The response to the query with the domain's IP address, the address of another DNS server with more information, or an error is returned in clear text through the corporate gateway;
    the corporate gateway sends the response to the corporate DNS resolver. Steps 3 through 6 are repeated until the requested domain IP address is found or an error occurs.
  • The DNS resolver returns the response to the user's web browser, which then requests the web page from the IP address in the response.

Source: https://media.defense.gov/

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.