authorized internal DNS resolvers to query authorized external DNS resolvers, and prevent all other endpoints from
querying external DNS resolvers. This can be partially accomplished by blocking TCP and UDP traffic over well-known
DNS ports (e.g., 53, 853) that are not destined for authorized providers. However, as DNS-over-HTTPS makes use of
common ports and protocols, other methods may be needed to block this traffic. If agencies have enabled Break-and-
Inspect mechanisms, whether deployed on-premises or via a SASE/SSE service, it may be possible to directly block
DNS-over-HTTPS traffic to unauthorized providers. Yet, if Break-and-Inspect capabilities are not employed, agencies
may need to use other mechanisms to block such traffic (e.g., blocking communication with well-known DNS-over-
HTTPS providers).
For environments such as guest wireless networks that permit guest user endpoints, agencies should follow the same
guidance for blocking unauthorized traffic and routing all egress DNS traffic to protective DNS. Additionally guest
networks should segregate all traffic to a dedicated IP range so that the guest network traffic can easily be
differentiated from agency enterprise network traffic by security devices and analysts.
3.8 VISIBILITY
DNS encryption can hinder existing network-based solutions that depend on access to unencrypted DNS traffic for
visibility. With the DNS traffic being encrypted, agencies will need to obtain comparable visibility through solutions that
can obtain visibility into DNS activity from client and server endpoints. This endpoint-based visibility will require the
encrypted DNS traffic only be permitted between authorized clients and servers where agencies have visibility (e.g.,
authorized endpoints and agency internal DNS servers, agency internal DNS servers, and Protective DNS). With the
diversity of endpoints, their locations, and the information available for them, agencies may need to integrate data from
multiple sources to gain comprehensive visibility.
•
Protective DNS Logs: Logs from Protective DNS can provide information on all DNS queries made by agency
caching resolvers and associated responses. While these logs can provide overall insight into agency domain
resolutions, agencies may need additional context to determine the specific endpoint that made the request.
• Agency DNS Server Logs: Agency DNS server logs can provide visibility into the DNS resolutions performed by
on-premises agency endpoints as well as roaming or nomadic endpoints that have connected into an on-
premises environment. However, these logs may not have comprehensive visibility as roaming, nomadic, or
cloud endpoints may use methods for DNS resolution that bypass the agency DNS servers.
• SASE/SSE Logs: SASE/SSE logs can provide visibility into the DNS resolutions performed by endpoints that use
the SASE/SSE, whether those endpoints are on-premises or remote. SASE/SSE solutions can provide a uniform
visibility across agency endpoints where a common solution is used across the enterprise. However, improperly
configured roaming, nomadic, or legacy endpoints may bypass the SASE/SSE solution, limiting agency visibility.
• Device Logs: Device logs, whether obtained through Endpoint Detection and Response (EDR), Mobile Device
Management (MDM), or other solutions, may be able to provide visibility into the domain resolutions performed
by the devices. While many solutions provide or have access to DNS information, the information available via
these solutions can vary considerably depending on the type of device (e.g., mobile vs workstation). Additionally,
as these logs are provided from the device, there is the potential for delays in receiving the information from the
devices, or for misconfigured devices to not provide the information; and, if a malicious entity compromises a
device, they may be able to limit or compromise the information being sent from the device.
• Cloud Logs: Logs from Cloud providers may be able to provide information about the DNS resolutions performed
by an agency’s cloud deployment. For some cloud environments, there may be direct logs of DNS resolutions
performed by agency endpoints. However, for certain environments or deployments, there may not be direct
logs of the DNS resolutions performed by the managed services. In these scenarios, agencies may need to
reconstruct the DNS resolutions from other logs (e.g., logs of connections made by the cloud deployment that
include DNS names).