NSA and CISA promote PDNS concept

The US National Security Agency and the Cybersecurity and Infrastructure Security Agency have published this week a joint advisory urging companies to adopt DNS-based security solutions as part of a concept the agencies are calling Protective DNS (PDNS).

The document, available here as a PDF, goes over the basic advantages of inspecting DNS traffic, and also includes a basic assessment of several commercial PDNS providers, to give public and private organizations an idea of what to look for when making their own buy decisions.

DNS, which stands for Domain Name System, is the protocol that helps software translate domain names into IP addresses where the content of the domain name is hosted.

Today, DNS is an integral part of various forms of cybercrime and cyberattacks.

Users frequently mistype domain names while attempting to navigate to a known-good website and unintentionally go to a malicious one instead. Threat actors also employ phishing emails with malicious links. Compromised systems may seek commands from a remote server, or they might send stolen data to a remote system.

The NSA and CISA say that all these attacks can be prevented by inspecting DNS traffic and comparing what DNS queries users are making to lists of known malicious hosts.

"The domain names associated with malicious content are often known or knowable, and preventing their resolution protects individual users and the enterprise," the two agencies said in their joint advisory.

But PDNS is more than just looking at DNS queries, the NSA and CISA said. The two agencies also recommended that companies:

• Implement DNS protocol security features like DNSSEC that ensure the integrity and authenticity of DNS records.
• Implement DNS privacy enhancements like DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH).
• Block outbound ports 53 (DNS) and 853 (DoT) to prevent malware from abusing the protocol in any way outside the reach of an internal PDNS service.
• Block access to unauthorized DoH servers that are not under the company's control.
• Exercise maximum attention when selecting a PDNS provider since this company would be granted full access to the organization's web traffic records.

The two agencies said this most recent advisory is the result of a NSA pilot program, where the NSA partnered with the Department of Defense Cyber Crime Center to offer several members of the Defense Industrial Base PDNS-as-a-service.

"Over a six-month period, the PDNS service examined more than 4 billion DNS queries to and from the participating networks, blocking millions of connections to identified malicious domains," the NSA said in a press release.

A recent focus on DNS

But this past week's advisory also represents the second advisories both agencies have sent over the past year in regards to DNS security.

In April 2020, CISA reminded government agencies of their legal requirement to use the EINSTEIN 3 Accelerated (E3A) DNS server as the primary DNS resolver for any government networks and to block the use of DoH inside their networks until a CISA-approved government-wide DoH resolver server was made formally available.

CISA issued the warning amidst the rise in use of DoH, a more private way of making DNS queries, but one that also allows users to skirt local firewalls and security solutions since DNS queries are hidden inside regular-looking HTTPS traffic and don't look like classic DNS queries.

In addition, in January 2021, echoed CISA's advice, warning companies against deploying DoH inside their networks but configured to use external DoH resolver servers that are not under their control [see PDF].

The NSA, just like CISA, urged companies to use their own DoH resolvers to make sure traffic doesn't leak to external parties and that they can still inspect DNS traffic for malware activity —a core tenet of the PDNS philosophy.