On April 10, the U.S. National Institute of Standards and Technology, or NIST, released a draft of a new version of their “Secure Domain Name System (DNS) Deployment Guide,” called NIST SP 800-81 for short. “800-81” (to its friends) has been an indispensable document for DNS administrators both inside and outside the U.S. federal government since the publication of its original version in May 2006. Since then, it’s been updated twice, in April 2010 and in September 2013. Each version has provided much-needed guidance to the DNS community. In fact, it’s so useful that it’s referred to by several regulations outside of the United States, including Europe’s Network and Information Security 2 (NIS2) Directive.
Understandably, though—given the fact that the latest version is more than a decade old—it’s missing coverage of some important functionality. In particular, it includes no mention of encrypted DNS or Protective DNS.
Encrypted DNS addresses the long-standing “last mile” vulnerability in DNS: almost all communications between a stub resolver (the client part of DNS, which resides on nearly every device connected to the internet) and the recursive DNS servers it queries are sent unencrypted. This means that traffic is subject to both snooping and spoofing. Encrypted DNS encrypts that communication using one of several established mechanisms, keeping the traffic between stub resolver and recursive DNS server private and preventing spoofing.
Protective DNS is arguably an even more useful development. For years, DNS servers have unwittingly abetted malicious activity on the internet by resolving domain names that are used in phishing email, by malware, by fraudulent web sites, or in many other harmful contexts.
Protective DNS gives DNS servers the ability to distinguish between malicious and benign domain names and respond to queries for malicious domain names with negative responses (e.g., NXDOMAIN, which means “That domain name does not exist”). This can prevent phishing campaigns from working, block malware from rendezvousing with command-and-control infrastructure, stop users from inadvertently visiting fraudulent web sites, and much more. And this protection is almost universal, in that nearly every device and workload connected to the internet relies on DNS to mediate nearly every network transaction.
The new draft of 800-81 recognizes Protective DNS as a foundational layer of network security and a critical part of a defense-in-depth or Zero Trust security framework, and recommends that organizations incorporate Protective DNS into their security strategies.
At Infoblox, we believe there’s a global shift towards the recognition of DNS as a fundamental security control. European Union regulations already require Protective DNS, and we expect similar requirements to be enacted soon in other jurisdictions. That’s one of the reasons we’re so excited to see Protective DNS included in 800-81.
Today, April 10, marks the beginning of a comment period that is expected to extend until May 26. I’d encourage you to download a copy of 800-81, read it, and submit any comments to NIST before the comment period ends!
