As the old IT adage goes, DNS, the Domain Name System, is a bit like oxygen. You only notice when it is not there. DNS has been fantastically successful—arguably one of the great achievements of the internet. A distributed network service that scales to the size of the internet and underpins almost all modern networking. Most of the time, it just works and does so flawlessly.
Taken for granted by many organizations, the utility of DNS and its criticality to the internet has not gone unnoticed by threat actors. As the excellent research from Infoblox Threat Intel highlights, threat actors have become adept at abusing DNS. Whether it’s targeting DNS for DDoS to take out entire networks, hijacking well-respected brand name domains for use in cybercrime or using DNS as the postal service for exfiltrating stolen data; DNS has in many ways become a foundation for modern cybercrime.
For many years, policymakers and regulators let DNS slip under their radar. With the recent legislation focused on cyber resiliency, securing critical infrastructure and even protecting citizens from the epidemic of internet fraud, the role of DNS was often obscured or ignored. Despite welcome additions to the DNS standards that facilitated the securing of the DNS infrastructure, the integrity of the protocol and even the use of DNS as a cybersecurity control, these capabilities, unfortunately, were best-kept secrets. Until now.
In the last few years, as governments have adopted DNS as a cybersecurity control point, as evidenced by the Protective DNS services operated by governments in the United Kingdom,1 United States2 and Australia, regulators and policymakers have gradually started to drag DNS out of the technical policy shadows.
In the latest update from the National Institute of Standards and Technology (NIST) to Special Publication (SP) 800-81 DNS Security Best Practices,3 we see a welcome update that addresses the three key issues; securing the DNS infrastructure, protecting the integrity of the DNS service and using Protective DNS as a cybersecurity control. These best practices align with recommendations that we at Infoblox have based on our extensive experience of designing and deploying DNS architectures across a broad range of organizations. Fortunately, we’re also seeing similar recommendations emerge in policy directives and mandates. The European Union (EU) recently updated the NIS2 Directive4 to include many of the same recommendations as described in NIST SP 800-81. The expectation should be that as EU member states transpose the directive into national policy, the same breadth and clarity of recommendations are included in the NIS2 mandates.
Going forward, there is a strong case for other regulators to align with the NIST SP 800-81 recommendations. The Saudi Arabian National Cybersecurity Authority’s Essential Security Controls (ECC)5 requires the use of Protective DNS. By expanding those requirements to align with the best practices, it will help organizations have a clear set of practical recommendations that span the thicket of regulatory requirements. Thus, as DNS emerges from the shadows, there is a unique opportunity to reduce the regulatory burden and drive clarity of implementation while finally addressing the risks and opportunities that surround the critical service that is DNS.
Footnotes
- Protective Domain Name Service (PDNS), National Cyber Security Centre, September 17, 2024.
- Protective Domain Name System (DNS) Resolver, Cybersecurity and Infrastructure Security Agency (CISA).
- NIST Special Publication 800-81 Secure Domain Name System (DNS) Deployment Guide, Rose, Scott, Liu, Cricket, Gibson, Ross, National Institute of Standards and Technology (NIST), April 2025.
- NIS2 Directive Technical Implementation Guidance, European Union Agency for Cybersecurity (ENISA), June 2025.
- Essential Cybersecurity Controls, National Cybersecurity Authority, Saudi Arabia.
