NIST Special Publication 800-81 is a comprehensive framework from the U.S. government that outlines best practices for secure Domain Name System (DNS). In this FAQ, we break down what NIST 800-81 is, what additions are in the latest draft updates and why they matter, and how organizations can apply its guidance to strengthen their cyber defenses.
Q: What is the purpose of 800-81r3?
A: The document is the latest draft of NIST SP 800-81, and provides updated guidelines for utilizing DNS as a foundational layer of network security and deploying DNS securely to mitigate misuse or misconfiguration as part of a zero-trust or defense-in-depth approach. The document acknowledges the change in DNS’s role in securing networks since the previous edition published in 2013.
Q: Who is the intended audience for this guide?
A: The guide targets two main groups:
- Cybersecurity executives, decision makers, and organizational policy setters.
- Operational networking and cybersecurity teams.
Q: What is new in this version of the guide?
A: This version of 800-81 updates guidance on utilizing DNS as a foundational layer of network security and securing the DNS protocol and infrastructure to mitigate misuse or misconfiguration. New additions include leveraging DNS to protect against malware, ransomware, data exfiltration and support incident responses efforts and OT and IoT security.
Q: How applicable is 800-81r3 globally?
A: NIST is recognized globally as an authoritative standards organization. NIST publications are used widely by other regulators and standards bodies directly or indirectly. For instance, the European Union Agency for Cybersecurity (ENISA) NIS2 implementation guidance references 800-81. In other words, 800-81 is a set of best practices for essential and important organizations such as DNS service providers, TLD name registries, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, and managed security service providers. Global cybersecurity agencies, other organizations and companies can point to 800-81 as a recognized best practice rather than develop their own and use 800-81 principles within their own security strategies and policy.
Q. How does DNS support cyber resiliency and security strategies?
A: DNS is critical for network operations and can be used as a foundational layer of security. It supports defense-in-depth and zero-trust principles by enforcing security policies, preemptively blocking access to malicious domains, and providing visibility for digital forensics and incident response.
Q: What are the key recommendations for DNS deployments?
This revision of Special Publication (SP) 800-81 acknowledges these changes in the role of DNS provides modern guidance on DNS deployments with the following high-level recommendations for network and security owners:
- Employ Protective DNS wherever technically feasible to provide additional network-wide security capabilities
- Encrypt internal and external DNS traffic wherever feasible
- Deploy dedicated DNS servers to reduce attack surfaces
- Follow all technical guidance on ensuring that DNS deployments and the DNS protocol are as secure and resilient as possible
Q: What is Protective DNS?
A: Protective DNS is DNS enhanced with security capabilities to analyze DNS queries and responses and take action to mitigate threats. Protective DNS preemptively blocks access to malicious websites and prevents the delivery of malware, ransomware, phishing, and other attacks that attempt to deliver spyware and viruses.
The goals of deploying Protective DNS include:
- Blocking or redirecting harmful traffic in real time at the point of domain name resolution, typically before malicious activity starts
- Blocking categories of traffic with DNS by categorizing domain names that do not conform to an organization’s policies or matching against known bad actor lists
- Delivering visibility into real-time and historical DNS query and response data to facilitate digital forensics and incident response
- Integrating with the wider security ecosystem as part of defense in depth, such as correlating an organization’s data on assets (e.g., devices, cloud workloads) and users with the IP addresses of blocked queries
- Facilitating an organization’s responsibility to comply with regulatory or contractual requirements for blocking traffic to disallowed sites (e.g., copyright violations, legal restrictions)
Q: What is encrypted DNS?
A: This refers to protocols such as DNS over TLS (DoT) and DNS over HTTPS (DoH) that encrypt DNS queries between a DNS client and recursive DNS server.
Q: How is authentication used to protect the DNS protocol?
A: Public Key Infrastructure, provided by DNS itself, can be used to cryptographically sign domains and records. Recursive DNS servers can then validate DNS responses as coming from a legitimate source. This is collectively known as DNS Security Extensions (DNSSEC).
Q: What are DNS hygiene best practices?
A: Threat actors can exploit misconfiguration and lapsed domain/DNS resolver registration to seriously compromise DNS integrity. Organizations should implement robust processes to continuously monitor and validate the integrity of their public domains and take steps to raise the visibility of attempts to impersonate domains owned by the organization. Examples of exploitation cited in 800-81 include dangling CNAMEs, lame delegation and look-alike domains.
