Uncle Sam to agencies: No encrypted DNS for you!

The US federal government has been protecting its users by blocking malicious destinations for years, but it won’t let them take advantage of the latest protective measure in DNS – encryption – just yet. Last month, the US Department of Homeland Security warned government agencies that they’re legally bound to use an internal system that won’t support this feature.

The DHS’s Cybersecurity & Infrastructure Security Agency (CISA) published a memorandum on April 21 warning agency CIOs that they’re legally bound to use its internal EINSTEIN network security system when resolving DNS queries. That means that they can’t yet take advantage of technologies that stop people from snooping on or even hijacking their DNS queries.

EINSTEIN began as an intrusion detection system designed by the DHS’s US-CERT. Version 1 allowed the Agency to monitor traffic across all government networks, while version 2 spotted suspicious traffic. Version 3 (Einstein 3 Accelerated, or Einstein 3A), went further, preventing unwanted intrusions by known bad actors. It offers useful DHS-specific services like sink-holing that override public DNS records by blocking access to destinations that the DHS knows to be malicious. It also lets the DHS examine all DNS requests made by government users, of course.

One thing it still doesn’t do, though, is to encrypt DNS lookups. This is important, especially in networks whose users deal with sensitive information. The Domain Name System is what translates URLs like nakedsecurity.sophos.com into IP addresses. It’s an address book for the internet. When a computer looks up a domain in that address book, it goes to a DNS resolver, which delivers the answer (sometimes asking other DNS resolvers in the process). The DNS resolver is usually your ISP, but users who control their own devices can also set alternatives, including those operated by companies like Google and Cloudflare.

When the DNS was created in 1987, no one built encryption into it. This means that computers sent DNS queries in plain text by default. Anyone who could intercept them could look at the places you’re visiting and even alter them, potentially sending you to a malicious site and phishing you or infecting your device. This includes not just someone snooping on your wireless connection, but also your ISP or the owner of the network you’re connected to. This is called DNS hijacking, and the US government has already warned agencies about it.

Two types of DNS encryption have emerged to solve that problem. The first is DNS over TLS (DoT). This uses Transport Layer Security (TLS) – the successor to SSL – to encrypt the queries directly and verify the server’s identity using digital certificates. This technique uses port 853 rather than the traditional DNS port, 53, which might cause existing firewall configurations to block those queries. DNS over HTTPS (DoH), solves that problem by using HTTPS, the TLS-encrypted version of HTTP. HTTPS uses port 443, which is so commonly used that a firewall is unlikely to lock it down.

Not all DNS resolves support these techniques. In the memorandum, CISA director Chris Krebs explained that EINSTEIN 3 doesn’t.

DoH and DoT add desirable security features to DNS resolution; however, federal agencies that use DNS resolvers other than E3A lose the protection that defensive DNS filtering provides, and E3A does not currently offer encrypted DNS resolution.13 CISA intends to offer a DNS resolution service that supports DoH and DoT in time. Until then, agencies must use E3A for DNS resolution.

All is not lost, though. EINSTEIN 3A does tunnel all traffic to and from devices that are physically or virtually connected to agency networks, including their DNS queries. Krebs also pointed out that while agencies must use E3A as their primary upstream resolver, they are still free to stipulate their own fallback options supporting DoH or DoT that would kick in if E3A stops working. These can include encrypted DNS resolvers in their own infrastructure, or public upstream resolvers (it cites Google and Cloudflare as examples).

Why is the DHS reminding federal government CIOs about this now? The advisory itself points to one likely reason: browser developers are introducing support for DoH. Mozilla announced last September that it would be a default feature in Firefox, and Google has also announced an “experiment” with DoH in Chrome. The two organisations approach this differently, with Firefox choosing a DoH resolver of its own (Cloudflare) and Google just using the protocol if the user’s existing resolver supports it.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.