NSA Warns Against Using Third-Party DNS and Encourages DNS Over HTTPS

Warning Against DNS Third-PartyAs cybercriminals look for new ways to attack organizations, the National Security Agency takes a hard look at how DNS can be manipulated and makes recommendations on how to secure it.

The bad guys are spending a lot of time focusing on the specifics of how network communications work, looking for ways to hijack, reroute, obfuscate, and overall utilize your network and its configuration as an asset to help make their cyberattacks more successful.

According to a newly release report by the NSA, organizations today need to include DNS in their list of security concerns. Cyber attackers work to both eavesdrop and manipulate DNS traffic as part of attacks. The NSA makes three recommendations in this report:

  • Using only “designated enterprise DNS resolvers” so that DNS queries are being received from known-secure services that align with your organization’s cybersecurity defenses
  • Use DNS over HTTPS (DoH) so that DNS traffic is encrypted to protect against eavesdropping and manipulation
  • Have enterprise DNS resolvers point to known external DoH servers

While these changes in how your organization leverages DNS are intended to help to quickly and easily secure this portion of network communications, creating a more secure stance against cyberattacks, the reality is this may be one of those solutions looking for a problem. Sure, it’s possible that DNS traffic could be impacted by a man-in-the-middle DNS attack, but historically, DNS has only been used as a tunnel to move malicious traffic, or by modifying DNS client settings to point to malicious DNS servers.

I’m all for making the organization more secure, so as long as implementing the NSA’s recommendations are easy enough, sure – go ahead. But I wouldn’t necessarily put too much emphasis on this as an attack vector that requires all of your attention.

Request a Demo of KCM GRC

The new KCM GRC platform helps you get your audits done in half the time, is easy to use, and is surprisingly affordable. No more: "UGH, is it that time again!" 

products-KCM2-2With KCM GRC you can:

  • Reduce the amount of time and money required to easily manage your compliance, risk, and audit requirements
  • Automate reminders so you can quickly see what tasks have been completed, not met, and are past due
  • Simplify risk management with an intuitive interface simple workflow based on NIST 800-30.
  • Efficiently manage your third-party vendor risk requirements
  • Quickly implement compliance and risk assessment processes using KnowBe4's pre-built requirements and assessment templates

Request Your Demo

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews