US NSA Recommended Companies to Ditch Third Party DNS Resolvers


The US National Security Agency has urged companies to stop using third-party DNS resolvers to block hacker attempts to manipulate traffic and unauthorized access to information stored on networks.


The NSA presented its recommendations in a new notice on the pros and cons of using DNS over HTTPS (DoH) in corporate environments.


“The NSA recommends sending encrypted and unencrypted DNS traffic on corporate networks only to a dedicated corporate DNS resolver. This will ensure the correct use of key enterprise security management mechanisms, facilitate access to local network resources and ensure the protection of information within the network, ”the NSA said in a notice.


The agency recommends that businesses use their own DNS servers or external services with built-in support for encrypted DNS queries like DoH.


“However, if the enterprise DNS resolver does not support DoH, it still needs to be used, and encrypted DNS should be disabled and blocked until the encryption capabilities of DNS are fully integrated with the corporate DNS infrastructure,” recommends the NSA ...


The agency recommends that administrators of corporate networks disable and block all other DNS services and use only specially designated corporate ones. Administrators who disable DoH on their enterprise networks should block “Known IP Addresses and DoH Resolver Domains” to block clients from trying to use their own DoH resolvers instead of their assigned DHCP DNS resolver.


Previous Post Next Post