Building on the January Executive Order (EO) addressed below, the White House issued a June EO that also directs federal Executive branch agencies to implement TLS 1.3, or successor(s), by 2030, in part to establish the base layer for future PQC efforts. While this action is mandated to the Executive branch, all branches and tiers of government including SLTT, and critical infrastructure sectors should treat the mandate as applicable. Protective DNS with DNS-over-TLS will continue to protect the government’s information protection efforts, reduces the attack surface, and contains threats by securing communications channels.<\/p>\n
On January 16, 2025, the White House issued a comprehensive Executive Order (EO) aimed at strengthening and promoting the Nation\u2019s cybersecurity. The EO includes specific measures to:<\/p>\n
Noteworthy among the key measures introduced is the requirement for encrypted DNS protocols that ensure the confidentiality and integrity of DNS traffic. This recognizes DNS as a critical frontline security control<\/strong>, emphasizing its significance in cybersecurity defense-in-depth strategy. <\/p>\n DNS is often referred to as \u201cthe phonebook of the internet,\u201d translating human-readable domain names into IP addresses. The original intent of DNS was to distribute information such as host and IP address mappings, mail routing information, etc., so it has not traditionally been viewed as a tool for securing network communications. However, the role DNS plays in enabling nearly all network communications today makes it an effective tool for not only monitoring but also for managing those communications. Encrypted DNS provides one such mechanism for DNS to serve as a security control.<\/p>\n Traditional DNS queries are transmitted in plaintext, making them vulnerable to interception and manipulation. Encrypting DNS traffic (through protocols such as DNS over HTTPS (DoH) and DNS over TLS (DoT)) enhances security by: <\/p>\n This requirement builds upon the requirements set forth in the prior Office of Management and Budget\u2019s (OMB) Memorandum M-22-09<\/a><\/strong> and CISA’s Encrypted DNS Implementation Guide<\/a><\/strong>, which requires the federal Civilian Executive Branch (FCEB) agencies\u2019 DNS infrastructure to support the use of encrypted DNS when communicating with agency endpoints, wherever technically supported. <\/p>\n The specific requirements for encrypted DNS are as follows:<\/p>\n Encrypted DNS requires additional computing resources particularly on DNS servers, because of the need to perform encryption and decryption when sending and receiving DNS messages. Agencies should anticipate this and ensure that their DNS servers have sufficient resources to handle the query load before beginning any widespread deployment of encrypted DNS. Failure to properly implement encrypted DNS could bring down the entire networks, along with their applications and users.<\/p>\n The use of encrypted DNS may also make troubleshooting more difficult because IT staff using network troubleshooting tools won\u2019t have ready access to the contents of DNS queries or responses. The contents of DNS queries and responses will still be available to IT staff on the name servers themselves, of course, because those name servers will have performed the requisite decryption.<\/p>\n However, the benefit of encrypted DNS outweighs these challenges. <\/p>\n To overcome these challenges and ensure cyber resiliency, agencies and organizations should limit the co-existence of multiple mission-critical services on a single system. This separation of duties will ensure the highest possible resilience, given the increased computational requirements. The infrastructure hosting the DNS service should be dedicated to that task and hardened for this purpose to reduce the attack surface and ensure that adequate system resources are available to the DNS service. The infrastructure should include sufficient capacity for elements of the DNS service such as logging, support of encrypted DNS protocols and Protective DNS, where applicable. This may be easier to accomplish on purpose-built DNS services, either as-a-service or via virtual or physical appliances.<\/p>\n As agencies move forward with these initiatives, it is essential to stay informed about the latest technological advancements and adopt best practices, including:<\/p>\n As a leader in secure DNS solutions, Infoblox is uniquely positioned to assist federal agencies in meeting these new requirements. Our solutions are:<\/p>\n This Executive Order marks an important step in the fight against cybercrime targeting DNS infrastructure. By mandating encrypted DNS, the federal government is setting a high standard for cybersecurity resilience, with ripple effects expected across industries. Infoblox is proud to support this mission, delivering the tools and expertise necessary to secure the foundation of the internet. <\/p>\n For more information on how Infoblox can help your organization implement encrypted DNS, visit our blog<\/a><\/strong> or contact us at https:\/\/info.infoblox.com\/contact-form\/<\/strong><\/a>.<\/p>\n Agencies should contact the Infoblox team at scsprogram@infobloxfederal.com<\/strong><\/a> or their account representatives directly for additional information.<\/p>\n To learn more about Trinzic X6: To learn more about Advanced DNS Protection (ADP) that support DoT and DoH: To learn more about Infoblox\u2019s threat intelligence: To learn more about Infoblox Threat Defense: To learn more about Infoblox\u2019s Cyber Security Ecosystem: To learn more about the White House press release on the new EO: https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2025\/01\/16\/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity\/<\/strong><\/a><\/p>\nWhy Encrypted DNS Matters<\/h3>\n
\n
Key Requirements on Encrypted DNS under the EO<\/h3>\n
\n
\n
Challenges and Opportunities<\/h3>\n
Implications for Federal Agencies<\/h3>\n
\n
How Infoblox Can Help<\/h3>\n
\n
Takeaway<\/h3>\n
For Additional Information<\/h3>\n
\nhttps:\/\/www.infoblox.com\/products\/infoblox-appliances\/<\/strong><\/a><\/p>\n
\nhttps:\/\/www.infoblox.com\/products\/advanced-dns-protection\/<\/strong><\/a><\/p>\n
\nhttps:\/\/www.infoblox.com\/threat-intel\/<\/strong><\/a><\/p>\n
\nhttps:\/\/www.infoblox.com\/products\/threat-defense\/<\/strong><\/a><\/p>\n
\nhttps:\/\/www.infoblox.com\/solutions\/security-ecosystem\/<\/strong><\/a><\/p>\n