NSA Warns Against Using Third-Party DNS and Encourages DNS Over HTTPS

Warning Against DNS Third-PartyAs cybercriminals look for new ways to attack organizations, the National Security Agency takes a hard look at how DNS can be manipulated and makes recommendations on how to secure it.

The bad guys are spending a lot of time focusing on the specifics of how network communications work, looking for ways to hijack, reroute, obfuscate, and overall utilize your network and its configuration as an asset to help make their cyberattacks more successful.

According to a newly release report by the NSA, organizations today need to include DNS in their list of security concerns. Cyber attackers work to both eavesdrop and manipulate DNS traffic as part of attacks. The NSA makes three recommendations in this report:

  • Using only “designated enterprise DNS resolvers” so that DNS queries are being received from known-secure services that align with your organization’s cybersecurity defenses
  • Use DNS over HTTPS (DoH) so that DNS traffic is encrypted to protect against eavesdropping and manipulation
  • Have enterprise DNS resolvers point to known external DoH servers

While these changes in how your organization leverages DNS are intended to help to quickly and easily secure this portion of network communications, creating a more secure stance against cyberattacks, the reality is this may be one of those solutions looking for a problem. Sure, it’s possible that DNS traffic could be impacted by a man-in-the-middle DNS attack, but historically, DNS has only been used as a tunnel to move malicious traffic, or by modifying DNS client settings to point to malicious DNS servers.

I’m all for making the organization more secure, so as long as implementing the NSA’s recommendations are easy enough, sure – go ahead. But I wouldn’t necessarily put too much emphasis on this as an attack vector that requires all of your attention.

Request A Demo: Compliance Plus

Old-school compliance training is challenging for organizations to offer, difficult to do right, and is generally very expensive to deliver. In this live one-on-one demo we will show you how easy it is to deliver your compliance training program using Compliance Plus with KnowBe4's training platform.

CMP-Collage-LCompliance Plus gives you:

  • A whole new library with fresh compliance content updated regularly
  • Coverage of legislative requirements, such as HIPAA and many others
  • New-school high-quality customizable modules
  • Short, interactive modules to keep learners focused, newsletters, docs, and posters are all included
  • Completely automated compliance training campaigns with world-class support and extensive reporting

See for yourself how Compliance Plus can help you keep your users on their toes with compliance, risk and workplace safety top of mind!

Request A Demo

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews