 The US National Security Agency (NSA) says that companies should avoid using third party DNS resolvers to block threat actors' DNS traffic eavesdropping and manipulation attempts and to block access to internal network information. NSA's recommendation was made in a new advisory on the benefits (and risks) of using DNS over http (DoH) in enterprise environments, an encrypted domain name system (DNS) protocol that blocks unauthorized access to the DNS traffic between clients and DNS resolvers. "NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver," the US intelligence agency said. "This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information." Companies are suggested to use their own enterprise-operated DNS servers or externally hosted services with built-in support for encrypted DNS requests such as DoH. "However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure," the NSA added. The NSA urges enterprise network administrators to disable and block all other DNS services besides their organizations' dedicated ones. Network admins who disable DoH on their networks are also recommended to block "known DoH resolver IP addresses and domains" to block client attempts from using their own DoH resolvers instead of the DHCP-assigned DNS resolver. The agency's advisory also provides additional details on the purpose of DoH and the importance of correctly configuring it to augment enterprise DNS security controls. "We are releasing this guidance to our NSS, DIB, and DoD partners to help them manage encrypted DNS as it is automatically enabled by more applications, as part of our continuous efforts to provide timely, actionable, and relevant cybersecurity guidance," Neal Ziring, Technical Director at NSA, told BleepingComputer. "Encrypted DNS features are becoming more widely supported in commercial products, and our customers need to understand the technology and potential trade-offs." Last year, US government agencies' CIOs were recommended to disable third-party encrypted DNS services until an official DNS resolution service with DoH and DNS over TLS (DoT) support would be available. CISA also reminded that agencies are legally required to use the EINSTEIN 3 Accelerated (E3A) DNS service on all devices connected to federal agency networks as the primary (or ultimate) upstream DNS resolver for all local DNS recursive resolvers. Until a DNS resolution service with DoH and DoT support was made available, federal agencies were also recommended to "set and enforce enterprise-wide policy (e.g., Group Policy Objects [GPO] for Windows environments) for installed browsers to disable DoH use." DoH allows DNS resolution requests over encrypted http connections, while DoT will encrypt and wrap all DNS queries using the Transport Layer Security (TLS) protocol instead of using insecure plain text DNS lookups. "The 'Adopting Encrypted DNS in Enterprise Environments' Cybersecurity Information Sheet provides National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators guidance on proper network configuration for handling encrypted domain name system traffic," Ziring added. Learn more by visiting OUR FORUM.  Congressional threats and inducements make Twitter and Facebook censorship a free-speech violation. Facebook and Twitter banned President Trump and numerous supporters after last week’s disgraceful Capitol riot, and Google, Apple and Amazon blocked Twitter alternative Parler—all based on claims of “incitement to violence” and “hate speech.” Silicon Valley titans cite their ever-changing “terms of service,” but their selective enforcement suggests political motives.  "After a close review of recent Tweets from the @realDonaldTrump account and the context around them we have permanently suspended the account due to the risk of further incitement of violence," Twitter's official "Safety" account tweeted. Twitter permanently suspended President Donald Trump’s account on Friday, citing “the risk of further incitement of violence.” The president’s account, with 88 million followers, was initially banned for 12 hours on Wednesday due to “severe violations of our Civic Integrity policy,” after he used the platform to condemn Vice President Mike Pence as his supporters stormed the Capitol. “After a close review of recent Tweets from the @realDonaldTrump account and the context around them we have permanently suspended the account due to the risk of further incitement of violence,” the company said in a tweet. Almost immediately, the account that Trump had used for years to convey his every thought, to denounce his enemies and praise his friends, to convey uncountable false statements and official White House announcements, simply disappeared. It was suddenly impossible to see his previous tweets or even to see his reaction to Twitter's decision. Instead, his empty account had been marked: "Account suspended." Trump's attempts to tweet from associated accounts also were blocked. At one point, he was tweeting from his campaign account, but that was promptly suspended. In a blog post, Twitter detailed the reasoning behind the decision. “In the context of horrific events this week, we made it clear on Wednesday that additional violations of the Twitter Rules would potentially result in this very course of action,” Twitter wrote. “Our public interest framework exists to enable the public to hear from elected officials and world leaders directly. It is built on a principle that the people have a right to hold power to account in the open.” “However, we made it clear going back years that these accounts are not above our rules and cannot use Twitter to incite violence,” the post continued. “We will continue to be transparent around our policies and their enforcement.” The White House did not respond to a request for comment. Twitter banned the president’s account after years of public pressure and several attempts to limit the reach of his account in recent days. Hundreds of Twitter employees recently signed a letter urging Twitter CEO Jack Dorsey to ban the president from using the platform to incite violence in the wake of the Capitol siege. An employee at Twitter who has been pushing for the company to delete the president’s account this week told NBC News that “leadership took a beating” at a meeting Friday morning with employees, many of whom pleaded with executives to delete his account. This was the second time in a week Twitter had taken action against the president’s account. Twitter removed three tweets that promoted conspiracy theories about the election and locked Trump’s account on Wednesday, citing “a risk of violence,” after a violent riot at the Capitol. Trump’s official @POTUS account is still active, but if the company determines he’s using it to evade the ban, it will take action to limit its use, a Twitter spokesperson said in a statement. About two hours after his ban, Trump did turn to the official @POTUS account, railing against Twitter, Democrats, and “the Radical Left,” in a series of tweets that were quickly deleted. A Twitter spokesperson said, “As we’ve said, using another account to try to evade a suspension is against our rules. We have taken steps to enforce this with regard to recent Tweets from the @POTUS.” Learn more about this very bold and appropriate move from Twitter on OUR FORUM. |
Latest Articles
|