1、TLP:CLEAR TLP:CLEAR ENCRYPTED DNS IMPLEMENTATION GUIDANCE Version:1.0 Publication:April 2024 Cybersecurity and Infrastructure Security Agency This document is marked TLP:CLEAR.Recipients may share this information without restriction.Information is subject to standard copyright rules.For more inform

2、ation on the Traffic Light Protocol,see https:/www.cisa.gov/tlp.2 TLP:CLEAR TLP:CLEAR REVISION HISTORYREVISION HISTORY VersionVersion Summary of Summary of r revisionsevisions Edited Edited ByBy DateDate 1.01.0 Baseline version A&E COE 02/09/2024 3 TLP:CLEAR TLP:CLEAR CONTENTSCONTENTS Executive Summ

3、ary.5 1.Background.6 1.1 Assumptions and Constraints.6 2.Agency Implementation Checklist.7 2.1 Phased Implementation.9 3.Implementation Guidance.10 3.1 Encrypted DNS.10 3.2 Protective DNS.10 Figure 1:Methods for Using Protective DNS.113.3 Agency DNS Infrastructure.12 3.4 Agency SASE/SSE Solutions.13

4、 3.5 Agency Endpoints.14 3.6 Cloud Deployments.15 3.7 Preventing Unauthorized DNS Traffic.16 3.8 Visibility.17 APPENDIX A:Vendor-Specific Implementation Guidance.18 A.1 Web Browsers.18 A.1.1.Firefox.18 A.1.2.Chrome.20 A.1.3.Safari.22 A.2 Operating Systems.22 A.2.1.Microsoft Windows.22 A.2.2 macOS.25

5、 A.2.3 iOS/iPadOS.27 A.3 DNS Servers.29 A.3.1 BIND DNS Server.29 4 TLP:CLEAR TLP:CLEAR Figure 2:BIND DNS Server Encrypted DNS Proxy Setup.29A.3.2 Microsoft DNS Server.31 A.3.3 Azure Private DNS Server.33 A.3.4 Infoblox DNS Appliance.34 5 TLP:CLEAR TLP:CLEAR E EXECUTIVE XECUTIVE S SUMMARYUMMARY This

6、document is intended to provide implementation guidance for federal agencies to meet federal requirements related to encryption of Domain Name System(DNS)traffic and enhance the cybersecurity posture of their IT networks,as set forth in Office of Management and Budgets(OMB)Memorandum M-22-09.1 The M