Amid telework boom, CISA reminds agencies of DNS resolution requirements

The Cybersecurity and Infrastructure Security Agency is reminding agencies to use Domain Name System resolution services offered through the National Cybersecurity Protection System to ensure visitors to federal websites aren't being redirected to malicious websites.

In a memo dated Apr. 21 but publicly released this week, Director Chris Krebs reiterated that civilian agencies are legally required to use sinkholing capabilities through EINSTEIN 3 Accelerated as their primary upstream DNS resolving service.

In a related blog post, Bryan Ware, Assistant Director of Cybersecurity and Communications noted that Einstein 3 Accelerated is already in place in most agencies, but "particularly in light of increased telework, we felt it worth reiterating."

The global DNS system translates website URLs into their corresponding IP addresses. However, an attacker can interfere with that translation to reroute Internet traffic away from its intended destination, instead sending users to fake or spoofed websites where they can be eavesdropped on, tricked into downloading malware or revealing personal information

According to a Privacy Impact Assessment drafted in 2016, EINSTEIN 3 Accelerated's sinkholing capability "allows DHS to prevent malware installed on .gov networks from communicating with known or suspected malicious Internet domains by redirecting the network connection away from the malicious domain to 'safe servers...thus preventing further malicious activity by the installed malware."

Krebs also highlighted recent security updates to several popular browsers, such as Chrome and Firefox, that impact how they resolve such disputes while more broadly incorporating two widely adopted DNS security protocols – over Hypertext Transfer Protocol Secure (HTTPS) and Transport Layer Security (TLS). CISA is working to make their DNS resolution services compatible with both, but until then agencies are required to use EINSTEIN 3 Accelerated as their primary tool. Agencies are permitted to utilize other services as backup options.

"We also recognize that increased use of encrypted DNS resolution will require many enterprises — including ours! — to update how they protect their users from malicious DNS traffic," Ware stated. "We accept and support that, and we're working to offer better services to the executive branch that are easier to use."

The memo notes that CISA will begin issuing reports to agencies highlighting DNS traffic anomalies and will reevaluate the status quo in six months, at which time the agency may issue a follow up emergency or Binding Operational Directive.

CISA's concerns about domain name manipulation are more than theoretical: it put out an emergency directive last year ordering agencies to shore up their DNS protections and reporting as evidence emerged that multiple state-sponsored hacking groups were conducting campaigns to tamper with the global DNS system.