Zero Trust

Hi All,

The NSA just published Selecting a Protective DNS Service.

Due to the centrality of DNS for cybersecurity, the Department of Defense (DoD) included DNS filtering as a requirement
in its Cybersecurity Maturity Model Certification (CMMC) standard (SC.3.192). The Cybersecurity and Infrastructure
Security Agency issued a memo and directive requiring U.S. government organizations to take steps to mitigate related
DNS issues. Additionally, the National Security Agency has published guidance documents on defending DNS [1, 2, 3].
This guidance outlines the benefits and risks of using a protective DNS service and assesses several commercial PDNS
providers based on reported capabilities. The assessment is meant to serve as information for organizations, not as
recommendations for provider selection. Users of these services must evaluate their architectures and specific needs
when choosing a service for PDNS and then validate that a provider meets those needs.

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------

Thanks for posting this, Michael - this is another in the series of useful guidance documents from the NSA. One interesting angle, relevant to this SDP and Zero Trust community, is the concept of connecting these DNS servers' detection of malicious requests into a ZT or SDP system. The idea is that if a device is issuing DNS requests for a known bad site, there are interesting and valuable steps that a security system can take, beyond just the domain blocking or sinkholing mentioned in the report. An SDP or Zero Trust system should be notified by the DNS server, and take immediate actions, such as by quarantining the user's device, prompting for MFA, etc.

Coincidentally, this use case is one that we're writing about in the in-progress SDP and DNS whitepaper. Folks, look for peer review of this document in the group soon.