The Cybersecurity and Infrastructure Security Agency wants to limit ransomeware, phishing, botnet and malware threats to civilian agencies by rolling out a new Domain Name System (DNS) resolver service, with a plan to eventually provide it governmentwide.
As the DNS translates websites’ people-friendly domain names into the numerical IP addresses that computers use, resolver technology rides along to allow or block access to sites. Millions of federal employees visit nongovernmental websites each day, and the CISA technology is intended to improve their protection from malicious infrastructure capable of launching cyberattacks.
“Operated defensively, protective DNS can protect agencies and their users from attacks and ensure online systems are resilient,” said a CISA spokesperson. “The service will also afford CISA insight into active cyber threats for analysis and future protection of the federal enterprise.”
The new resolver will fill in some significant gaps. Most agencies are already legally required to use CISA‘s EINSTEIN 3 Accelerated (E3A) resolver, but it doesn’t support direct use by mobile devices and cloud infrastructure or encrypted DNS resolution protocols. Some agencies bypass CISA’s protections as a result, so the General Services Administration issued a request for information from potential providers of a new resolver.
The desired resolver would address current service gaps, providing plaintext and encrypted DNS resolution over Transport Layer Security (TLS) and Hypertext Transfer Protocol Secure (HTTPS) connections in both Internet Protocol version 4, or IPv4, and the newer IPv6 address spaces.
The resolver would be recursive, meaning it returns IP addresses faster because one DNS server is communicating with several others on behalf of a client, rather than the client communicating directly with each one.
Domain names used in ransomeware, phishing, botnet and malware campaigns would be neutralized using government and commercial threat intelligence feeds CISA chooses for near real-time filtering decisions. Content wouldn’t be filtered based on taste or agency policy to block, say, gambling or social media sites, the spokesperson said.
CISA wouldn’t have operational or policy control over mobile devices using the resolver, though it wants to protect them without a virtual private network connection into a home network. The resolver should be resistant to distributed denial-of-service (DDoS) attacks, according to the RFI.
CISA would authorize agencies before they can use the resolver, starting with five agencies and a maximum of 150,000 users. The provider CISA seeks would be expected to scale the resolver to all executive agencies within two years and five times the load within three years to extend the service to other interested agencies.
“The intended users of the service will be executive branch agencies,” reads the RFI. “But we are interested in eventually offering the service to other U.S.-based government organizations, including other branches of the U.S. government, and state, local, territorial, and tribal governments.”
Service will be made available to additional agencies “as appropriate,” the spokesperson said.
DNS queries should be logged and stored for 30 days with the provider and for a year in a scalable data warehouse, according to the RFI.
CISA also wants a .gov domain for internet access that it manages and a web application for usage statistics and dashboards, domain blocking alerts, analysis, and updating filter lists. Agencies would be able to query their DNS histories using the app.
Vendors interested in being the prime contractor had until May 22, 2020 to respond to the RFI with comments on the resolver’s feasibility, how it would be positioned relative to other resolvers like E3A, and a potential acquisition approach — which has yet to be finalized.
CISA is currently evaluating RFI responses to finalize requirements for the resolver, before issuing a request for proposal, the spokesperson said.