NSA and CISA Issue Guidance on DNS Filtering

Starting from the beginning. DNS is the service that converts the web site address that you type in your browser like WWW.CNN.COM into the numbers, like 2a04:4e42:200::323:, that the Internet needs in order to connect you to that web site. DNS was invented because they didn’t think the web would be really popular if you had to type 2a04:4e42:200::323: every time you wanted to go to a web site.

DNS filtering, which the feds call Protective DNS Services, is when the DNS service that your computer uses stops you from connecting to sites that are known to be malicious.

Filtering will dramatically reduce the odds of one of your users clicking on a link to a site that will download malware onto his or her computer.

The NSA conducted a pilot with a number of defense contractors last year and they documented the results of a 6 month experiment that captured 6 BILLION DNS queries, blocking millions of connections.

Now is the time for getting the news out.

The test evaluated 6 companies: Akamai, BlueCat, Cisco, EfficientIP, Neustar and Nominet.

With the exception of BlueCat, all of the services had the same features and the government does not endorse one over the other. BlueCat was missing two check boxes.

There are also a number of free services, but the difference between free and paid is whether the services can be centrally managed, something that is important if you have more than a few computers.

If you are not currently using DNS filtering, we strongly recommend it.

If you are a defense contractor, it is mandatory for CMMC certification.

You can find the review here.

by