CISA Reveals Guidance For Implementation of Encrypted DNS Protocols


The Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive document titled “Encrypted DNS Implementation Guidance,” providing detailed instructions for government agencies to enhance their cybersecurity through the adoption of encrypted Domain Name System (DNS) protocols.

Aligned with Memorandum M-22-09 from the Office of Management and Budget (OMB), which outlines a “zero trust” cybersecurity strategy for departments within the Federal Civilian Executive Branch (FCEB), this guidance aims to ensure that federal agencies meet the federal requirements for encrypting DNS data.

Key Points:

  • Released in April 2024, the document offers extensive guidance on complying with federal mandates regarding the encryption of DNS data.
  • Emphasizing the use of CISA’s Protective DNS feature for all outgoing DNS resolution, in accordance with M-22-09 and 6 U.S.C. § 663 Note, Agency Responsibilities.
  • The guidelines assist agency network professionals in leveraging cutting-edge technology tools to safeguard DNS infrastructure.
  • OMB’s Memorandum M-22-09, issued on January 26, 2022, supports Executive Order 14028, “Improving the Nation’s Cybersecurity,” by requiring all DNS traffic within FCEB agencies to be encrypted by FY24.
  • The guidance outlines a checklist for agency implementation, detailing essential rules and recommended methods for encrypting DNS data and utilizing CISA’s Protective DNS for upstream DNS resolution.

Phased Implementation:

  • Given the complexity of transitioning to encrypted DNS, the guidance recommends a phased approach, including steps such as adopting Protective DNS, blocking unauthorized DNS traffic, and encrypting DNS traffic for both roaming and on-premises endpoints.

Technical Instructions:

  • The document provides thorough technical instructions on utilizing CISA’s Protective DNS service and implementing encrypted DNS protocols such as DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC.
  • It discusses how Protective DNS can prevent endpoints from resolving malicious names.

Vendor-specific Implementation Advice:

  • Implementation advice tailored to various vendors, including web browsers, operating systems, and DNS servers, is included in Appendix A. This section offers precise instructions on configuring popular platforms to handle encrypted DNS protocols.