Domain Name System (DNS) protection is an essential component in establishing cyber resilience. In fact, it’s so important that the U.S. National Security Agency (NSA) has endorsed DNS over HTTPS (DoH) as a recommended practice for enhancing privacy and security. Recognizing that DoH also can have harmful effects on an organization’s ability to monitor and filter network traffic, the NSA issued guidelines to help organizations successfully deploy DoH while maintaining those vital management tools.
Helping your small and medium-sized business (SMB) clients establish DNS protection with DoH is easier than you think and can give you a strong competitive differentiator as a managed services provider (MSP).
What Is The NSA Advisory On DoH?
Earlier this year, the NSA endorsed DNS protection as a security measure to help combat the escalating cyber threat environment:
DNS translates domain names in URLs into IP addresses, making the internet easier to navigate. However, it has become a popular attack vector for malicious cyber actors. DNS shares its requests and responses in plaintext, which can be easily viewed by unauthorized third parties. Encrypted DNS is increasingly being used to prevent eavesdropping and manipulation of DNS traffic. As encrypted DNS becomes more popular, enterprise network owners and administrators should fully understand how to properly adopt it on their own systems. Even if not formally adopted by the enterprise, newer browsers and other software may try to use encrypted DNS anyway and bypass the enterprise’s traditional DNS-based defenses.
DoH encrypts DNS requests, preventing eavesdropping and manipulation of DNS traffic. While good for ensuring privacy in home networks, DoH can present risks to enterprise networks if it isn’t appropriately implemented. The recommendations detailed will assist enterprise network owners and administrators in balancing DNS privacy and governance for their networks. It outlines the importance of configuring enterprise networks appropriately to add benefits to, and not hinder, their DNS security controls. These enterprise DNS controls can prevent numerous threat techniques used by cyber threat actors for initial access, command and control and exfiltration.
NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver. This ensures proper use of essential enterprise security controls, facilitates access to local network resources and protects internal network information. All other DNS resolvers should be disabled and blocked
- National Security Agency Advisory, January 14, 2021
How Can You Help Your SMB Clients Comply With The DoH Advisory?
For all its complications and discussions, you can help your SMB clients comply with the advisory and achieve the same encryption protection in three simple steps.
1. Discuss the NSA DoH advisory with your SMB clients. They are likely worried about privacy, so it is important to begin any discussion with the advisory and round out the threat discussion by mentioning hijacked routing.
2. Plan and source your DoH solution. Establish a plan that helps your SMB clients on five fronts:
- Centralized DNS Resolution: Routing all DNS requests through a centralized DNS resolver is key to achieving both DoH protection and robust DNS visibility and management. In remote user settings, use resolvers under your control. Tip: Hopefully, you have access to a vendor partner with strong security solutions that can help if needed.
- Simple, cloud-based deployment and management. The DNS protection solution you deliver should be cloud-based. Cloud-delivered protection eliminates hardware and software management headaches and ensures that the solution is always up to date.
- Native DoH compliance: The need for DoH compatibility may seem obvious on the surface, but not all solutions are equal when it comes to DoH support. The DNS protection solution your clients use should deliver this support natively, so updates and enhancements are automatic.
- Active threat intelligence: Like all security best practices and solutions, DoH is helpful but not bulletproof. Active threat intelligence can significantly bolster DNS protection solutions.
- All the controls your clients need: Your solution should enable filtering, policy-based domain blocks, policy controls by group, IP and device and robust reporting.
3. Deploy the DoH solution. If you’ve picked the right solution, it’s a snap. And if you’ve selected the right vendor partner, it’ll be done for you and your client for pre- and post-deployment testing and validation.