NIST’s updated Secure DNS Deployment Guide is a welcome development for the global cyber security community
By Titilayo Shodiya, Public Policy Technical Manager, Infoblox
The National Institute of Standards and Technology (NIST) has released an updated draft of its Secure DNS (main Name System) Deployment Guide (Special Publication 800-81, Revision 3) – a move being welcomed by cyber security experts worldwide.
This update is a positive, timely recognition of DNS as a foundational layer of security control for enterprises and national cybersecurity. It signals NIST’s commitment to bolster the trustworthiness of the global DNS through open consultation and expert input.
The new guidance aligns with Europe’s cybersecurity priorities under the NIS2 Directive. In an era when cyber threats are borderless, unified global standards for DNS security are more important than ever. This blog post/article examines how NIST’s updated guide aligns with EU, and why collaborative, industry-driven standards benefit society at large.
What NIST 800-81 Rev.3 says
The updated SP 800-81 reframes DNS as a security and compliance mechanism. Traditionally viewed as infrastructure, DNS is now recognized as a strategic layer within Zero Trust and defense-in-depth architectures. This expanded view elevates DNS security from a technical niche to a pillar of cyber resilience.
DNS security is redefined as a three-pillar system:
- Employing Protective DNS
- Protecting the DNS Protocol
- Protecting the DNS Service & Infrastructure
1. Employing Protective DNS
Protective DNS is a DNS service enhanced with security capabilities to analyze DNS queries and responses and take action to mitigate threats. DNS, as a security control point, is not limited to any single type of threat, unlike other mechanisms in the security stack. It can protect users and organizations from scams, credential theft, ransomware, and data exfiltration. This approach requires threat intelligence and the ability to integrate that into the DNS resolver. Threat Intelligence is leveraged in a DNS infrastructure via mechanisms, such as Response Policy Zones (RPZ), and can be seamlessly integrated into the DNS resolution chain via a number of architectures.
Therefore, the consumption and deployment of Threat Intelligence needs to be considered as part of any Protective DNS deployment. Protective DNS can be provided as a service from a vendor, deployed on internal DNS infrastructure, or a combination of the two.
There are potential benefits to using a combination of externally provided Protective DNS with internally deployed Protective DNS. While this approach may not be applicable in all cases, this combined hybrid scheme should be utilized where feasible.
In the event of a cyber-attack, mapping an IP address to the compromised asset, specifically at the time of the attack, requires tracking key attributable metadata on a real-time basis, together along with a history of its allocation to each asset and resource such as DHCP lease history. To ensure rapid notification of queries that might indicate infection or malicious activity, organizations should integrate Protective DNS logs from their name servers or their secure recursive DNS service with their SIEM or log analysis platform.
The benefits of employing Protective DNS are both immediate and far-reaching, offering critical early detection and automated defense against emerging threats. A recent real-world example illustrates this well: In 2024, the US Cybersecurity authority, CISA, issued an urgent advisory about a ransomware campaign targeting nearly 100 healthcare organizations and compromising the data of millions. As part of the attack, the threat actors used two malicious domains to communicate with their command-and-control (C2) infrastructure.
Organizations with advanced protective DNS solutions had detected and automatically blocked communication attempts to those malicious domains days and months before the advisory was issued. This early interception prevented an attempted data exfiltration before any damage could occur, demonstrating the critical role of Protective DNS in preemptive defense.
2. Protecting the DNS Protocol
DNS is a fundamental network service, and as such, must be left open to enable Internet connections. As a result, it has been used by threat actors as a strategic vehicle to send malware and conduct data exfiltration, command and control (C2), etc. To protect against these threats, organizations should:
- Protect internal and external authoritative and recursive DNS services against threats by using technology such as DNSSEC (DNS Security Extension) and TSIG
- Encrypt DNS traffic, both internal and external, wherever feasible
- Ensure organizations maintain DNS hygiene to monitor and validate the integrity of their public domains
Encrypted DNS is crucial for enhancing online privacy and security. Encryption helps protect sensitive information from being exposed or manipulated and reduces the risk of attacks (e.g., DNS spoofing, man-in-the-middle attacks). However, Encrypted DNS introduces additional overhead, particularly on name servers, because of the need to perform encryption and decryption when sending and receiving DNS messages, respectively. Organizations should anticipate this and ensure that their name servers have sufficient resources to handle their query load before beginning any widespread deployment of Encrypted DNS.
In addition, organizations should adopt DNS hygiene best practices. Threat actors can exploit misconfiguration and lapsed domain/DNS resolver registration to launch attacks by leveraging dangling CNAME, lame delegation and look-alike domains. Organizations should implement robust processes to continuously monitor and validate the integrity of their public domains and take steps to raise the visibility of attempts to impersonate domains owned by the organization.
DNS hygiene is critical not only in the private sector but also within government organizations, where the consequences of misconfiguration can be severe. One example involves the United States Centers for Disease Control and Prevention (CDC), which fell victim to a dangling CNAME attack. After the original website was shut down, the subdomain registration under ‘cdc.gov’ expired. An attacker noticed this lapse and registered the abandoned subdomain. No sophisticated hacking was required, the attacker simply inserted their own content under the CDC’s domain, highlighting the ease with which attackers can exploit poor DNS hygiene and the reputational risks it can cause.
3. Protecting the DNS Service and Infrastructure
DNS software must run on some existing host platform. A compromise of such platform results in a potential compromise of the DNS service, which can cascade into significant operational failures or loss of integrity and confidentiality. To ensure cyber resiliency it is recommended to limit the coexistence of multiple mission critical services on a single system. This separation of duties will ensure the highest possible resilience in the case of a cyber event.
Hence, it is recommended that the infrastructure hosting DNS services be dedicated to that task and hardened for this purpose to reduce the attack surface and ensure that adequate system resources are available to the DNS service. This may be easier to accomplish on purpose-built DNS services, either as-a-service or via virtual or physical appliances.
The risks of running DNS services on shared or vulnerable infrastructure are not theoretical. In 2024, thousands of IT executives were confronted with widespread business disruptions after a faulty software update crippled millions of Windows servers—many of which also hosted DNS services. The result was a global business outage: DNS failures took entire networks offline, causing widespread service disruptions that lasted for hours. This incident underscores the critical need to host DNS services on dedicated, hardened infrastructure to avoid cascading failures and maintain business continuity during unexpected events.
A Collaborative Move Toward Stronger DNS Security
NIST’s revised DNS deployment guide comes after years of evolving threats and lessons learned in DNS operations. By updating its guidance, NIST is responding to real-world industry input and technological change. DNS is a core internet service, and securing it requires consensus on best practices across different sectors and regions. Rather than any single country or region dictating the rules, global DNS standards are being shaped by a broad community of experts. The updated NIST guide reflects input from practitioners and researchers around the world, ensuring that the recommendations are informed by what works best in practice, not just in one jurisdiction. This collaborative development process helps legitimize global guidance.
Conclusion
NIST’s updated Secure DNS Deployment Guide is a welcome development for the global cybersecurity community. It underscores that to secure a cross-border technology like DNS, the best path forward is through collaboration and shared expertise. This is a part of an evolving global standard shaped by contributions from many stakeholders. The alignment with the EU’s NIS2 Directive will highlight a consensus on what needs to be done to protect our collective digital infrastructure.
Ultimately, securing DNS is a shared responsibility. By adopting unified global standards based on best practices, we make the entire internet ecosystem safer and more resilient. NIST’s responsive update is a positive step in this journey. It reminds us that when experts unite across borders, we can raise the security bar for everyone. In welcoming NIST’s effort, we also renew our commitment in Europe to work hand-in-hand with global partners, ensuring that networks remain secure, reliable, and worthy of the trust that billions of users place in it every day.
