NSA Recommends Avoiding Third-party DNS to Reduce Risk

DNS is necessary to be able to surf the Internet. They act as translators, so to speak. They basically allow us to put a domain in the browser, for example redeszone.net, and link it to its corresponding IP address. To do this, it uses a database, a guide where all the pages appear. In this article, we echo a recommendation from the NSA to avoid using third-party DNS resolvers .

The NSA recommends not using third-party DNS

We can use different DNS servers for our browsing. We can have those of the operator, as well as many audiences that are on the network, such as Google or CloudFlare. Some are free and some are paid. Sometimes we can even improve security and privacy by opting for one or the other.

Third-party DNS

However, the NSA has now released a recommendation that companies should avoid using third-party DNS resolvers to block attempted attacks and manipulation. The purpose of this tip is to reduce intrusion into DNS traffic and block access to information on the internal network.

Specifically, they indicate that “the NSA recommends that DNS traffic from a corporate network, encrypted or not, be sent only to the designated corporate DNS resolution system.” It ensures that this ensures the proper use of essential business security controls, facilitates access to local network resources, and protects information on the internal network.

Actualización de DNS falsa

Company-operated DNS servers

They suggest companies use their own company- operated DNS servers , as well as externally hosted services with built-in support for encrypted DNS requests, such as DoH.

However, the NSA adds that if the enterprise DNS resolver is not DoH compliant, the resolver should continue to be used and all encrypted DNS should be disabled and blocked until the encrypted DNS capabilities can be fully integrated into the network. enterprise DNS infrastructure.

In this regard, the NSA urges enterprise network administrators to disable and block all other DNS services beyond the dedicated ones of their organizations.

They also recommend that network administrators disabling DoH on their networks by blocking “known DoH resolution domains and IP addresses” to prevent customer attempts to use their own DoH resolvers instead of the DHCP-assigned DNS resolver.

Ultimately, the NSA recommends that businesses and organizations take seriously the importance of the DNS they use. The goal is to always maintain privacy and security. It is essential to avoid attacks that could interfere with the smooth running of a business or expose data that may be confidential.

In another article we saw the types of attacks on DNS servers. It is a problem that can be very present in the network. Hence the importance of always keeping our devices protected and reducing the impact that malware and attackers may have on our network.