CISA to inform agencies of DNS traffic anomalies

The agency reminded agencies of their legal obligation to use its EINSTEIN 3 Accelerated DNS sinkholing capability in a new memo.
CISA, DHS, Department of Homeland Security, RSA 2019
(Scoop News Group photo)

The Cybersecurity and Infrastructure Security Agency plans to start sending agencies regular reports informing them of potential Domain Name System traffic anomalies to improve their defenses.

DNS translates internet domains for computers to retrieve content, and most agencies are legally required to use CISA’s EINSTEIN 3 Accelerated (E3A) DNS sinkholing capability, which overrides harmful, public DNS records — preventing users from accessing malicious infrastructure.

While most agencies do, CISA issued a memo Thursday reminding them of their responsibility in light of the increase in coronavirus-related telework.

“In most instances where agencies bypass our protections, the reasons for non-use are well-intentioned,” wrote Bryan Ware, assistant director of CISA, in a blog. “Indeed, we know that in some circumstances, agencies seek to take advantage of protections we don’t offer, or account for cases that are operationally difficult for us to support.”


Those cases include direct use by mobile devices and cloud infrastructure, as well as both encrypted DNS resolution protocols: DNS over a Hypertext Transfer Protocol Secure connection (DoH) and DNS over a Transport Layer Security connection (DoT). Recently Mozilla and Google announced plans to enable DoH in their browsers, Firefox and Chrome respectively.

CISA’s memo isn’t in response to those developments, but the document encourages encrypting network communications by default. The agency intends to support DoH and DoT in time.

Agencies are instead advised to:

  • Ensure local DNS recursive resolvers use E3A as their primary upstream DNS resolver
  • Use well-known public resolvers as fallbacks
  • Configure policy enforcement points to drop all inbound and outbound IPv4 and IPv6 traffic on port 53 when connecting to unauthorized DNS infrastructure
  • Drop all inbound and outbound IPv4 and IPv6 DoT traffic on port 853, unless CISA is notified it’s supporting mission needs
  • Disable DoH use by installed browsers until CISA makes it available
  • Review and confirm CISA reports highlighting potential DNS traffic anomalies

CISA may issue a directive six months after the memo, if further action is needed.

Dave Nyczepir

Written by Dave Nyczepir

Dave Nyczepir is a technology reporter for FedScoop. He was previously the news editor for Route Fifty and, before that, the education reporter for The Desert Sun newspaper in Palm Springs, California. He covered the 2012 campaign cycle as the staff writer for Campaigns & Elections magazine and Maryland’s 2012 legislative session as the politics reporter for Capital News Service at the University of Maryland, College Park, where he earned his master’s of journalism.

Latest Podcasts