The Cybersecurity and Infrastructure Security Agency (CISA) released “Encrypted DNS Implementation Guidance,” a comprehensive document outlining steps for government agencies to enhance cybersecurity using encrypted Domain Name System (DNS) protocols. Aligned with Memorandum M-22-09 from the Office of Management and Budget (OMB), which advocates for a “zero trust” cybersecurity approach, the guidance aims to fortify departments within the Federal Civilian Executive Branch (FCEB).
The guidance, issued in April 2024, meticulously details how federal agencies must adhere to federal mandates regarding encrypted DNS data, emphasizing the utilization of CISA’s Protective DNS feature for outgoing DNS resolution, in compliance with M-22-09 and statutory requirements. It equips agency network professionals with cutting-edge technological tools to safeguard DNS infrastructure effectively, in line with the federal zero-trust strategy outlined in Executive Order 14028.
Crucially, the guidance provides a checklist for agency implementation, enumerating essential rules and recommended practices for encrypting DNS data and leveraging CISA’s Protective DNS for upstream DNS resolution. It outlines key steps such as configuring DNS infrastructure to support encrypted protocols, deploying SASE/SSE solutions for encrypted DNS queries, and ensuring endpoints adhere to authorized DNS configurations.
Recognizing the complexity of transitioning to encrypted DNS, the guidance suggests a phased implementation approach. It advises agencies to begin by configuring internal DNS infrastructure to use Protective DNS, gradually progressing to blocking unauthorized DNS traffic, encrypting DNS traffic with Protective DNS, and finally extending encrypted DNS protocols to roaming, nomadic, and cloud-based endpoints. The document offers detailed technical instructions tailored to different vendors’ web browsers, operating systems, and DNS servers in an appendix for seamless implementation.
