DHS CISA to provide DoH and DoT servers for government use

Until official servers are available, government agencies told to disable DoH (DNS-over-HTTPS) and DoT (DNS-over-TLS) on their networks.

DHS

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) announced today that it intends to run DoH (DNS-over-HTTPS) and DoT (DNS-over-TLS) DNS resolution servers for official government use, however, it advises agencies to disable DoH and DoT support on employees' browsers until official CISA servers are available.

The agency issued a memorandum [PDF] today to remind government agencies of their legal requirement to use the EINSTEIN 3 Accelerated (E3A) DNS server as the primary DNS resolver for any government workstations and communications.

CISA said the E3A server comes with a sinkholing capability "which blocks access to malicious infrastructure by, in effect, overriding public DNS records that have been identified as harmful."

"The vast majority of agencies already do this, but particularly in light of increased telework, we felt it worth reiterating," the agency said in a press release.

CISA fears that government workers or system administrators might be tempted by DoH and DoT's features and switch from the approved E3A DNS server to an unsanctioned DoH/DoT-capable system.

The agency said it does not endorse the use of third-party DoH or DoH resolvers, such as those provided by Google, Cloudflare, Cisco, or Quad9.

The DHS's cyber-security agency issued the memorandum because of DoH and DoT's rising popularity and increased usage.

Both are privacy-first versions DNS protocol that encrypt DNS queries to safeguard intended web destinations from third-party network observers.

Support for DoH is enabled by default for Firefox users in the US, while Chrome is currently experimenting with the feature. Microsoft has also announced plans to support DoH inside Windows in the upcoming future.

DoH, especially, looks like it will become a mainstay on the tech scene, with more browsers and desktop applications receiving support for using DoH as a privacy-first alternative to classic DNS.

"Until DoH and DoT resolution services are available from CISA, set and enforce enterprise-wide policy (e.g., Group Policy Objects [GPO] for Windows environments) for installed browsers to disable DoH use," CISA said today, urging government system administrators to take action and prevent workers from taking DNS settings in their own hands.