From Dark Reading:
The National Security Agency recommended that enterprises use only their designated DNS resolver in DNS traffic and avoid third-party resolvers. Domain Name System technology, or DNS over HTTPS, DoH, can be abused by attackers. Companies using only their designated DNS server is the safest route and all other resolvers should be disabled and blocked according to the NSA.
DHS, a server that converts domain names into IP addresses on the internet, has increased in popularity in the attack vector. Enterprise DNS controls can prevent numerous threats used by cyber threat actors for access, command, control and exfiltration of servers.
Read more on what Dark Reading thinks here at: NSA Recommends Using Only ‘Designated’ DNS Resolvers
We have been tracking the smart use of DNS configuration and managed DNS services for decades and keep our own lists of recommended services. We like this NSA study but would mention that their methodology, as they explain themselves, was to only look at firms that are contracting with the Federal Government. For small to mid-sized businesses and local/state level governments and for home use we actually recommend a different DNS resolver: Quad9. Read more at: This one little configuration change will make it harder for people to steal your information.
