The United States National Institute of Standards and Technology (NIST) has released a major revision of its Secure DNS Deployment Guide (PDF), superseding the 2013 edition (PDF). The document focuses not just on the DNS as a protocol or namespace, but on the operational DNS service, including recursive resolvers, authoritative infrastructure, and the policy controls applied around them.
In this context, NIST frames DNS as an active component of enterprise security architecture. Rather than treating it as passive infrastructure, the guidance highlights how DNS services can be used to enforce policy, filter queries and responses, and provide visibility into network activity. This includes practices such as protective DNS, where resolvers and firewalls block access to known malicious domains before connections are established.
This shift reflects operational reality. DNS sits on the critical path of nearly all network activity, making it a natural vantage point for detecting and disrupting malicious behaviour. The guide also emphasizes DNS as a resilience dependency, recommending dedicated infrastructure and high-availability design to reduce attack surface and avoid service-wide failure.
DNS as a security control plane
A central theme throughout the document is the role of DNS as a policy enforcement point. Protective DNS (PDNS) is elevated from a niche capability to a foundational control, enabling operators to block access to known malicious domains before connections are established.
In practice, this often involves integrating threat intelligence feeds into DNS firewalls or Response Policy Zones (RPZs), allowing real-time enforcement of organizational policy. This approach is particularly effective against phishing, malware distribution, and callback infrastructure.
The guide also highlights DNS as a common channel for command-and-control (C2) and data exfiltration. Even when application traffic is encrypted, DNS queries may still expose patterns or destinations that indicate compromise. As a result, monitoring and controlling DNS traffic becomes a key part of defensive operations.
Securing the namespace and validating data
The guidance reinforces established practices for protecting authoritative infrastructure and maintaining data integrity. DNSSEC remains a cornerstone, providing origin authentication and protection against tampering. However, the document focuses less on the mechanics of deployment and more on ensuring that validation is consistently enforced across recursive infrastructure.
Operationally, this means ensuring that resolvers perform DNSSEC validation by default and that failures are handled in a way that does not silently degrade security. The emphasis is on making DNSSEC a dependable control, rather than an optional enhancement.
Encryption, endpoints, and control
Encrypted DNS protocols such as DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ) are treated as baseline features in modern deployments. They protect queries from interception and manipulation, particularly on untrusted networks, with DoQ offering performance and latency advantages by leveraging QUIC.
However, the guidance also recognizes the operational challenges they introduce. Applications and endpoints increasingly bypass local resolvers in favour of external encrypted DNS services, reducing organizational visibility and control. The document recommends managing this behaviour through endpoint configuration and policy, ensuring that encrypted DNS is used in a way that aligns with enterprise security objectives.
Operating resolvers in modern environments
Recursive resolvers are positioned as a focal point for both security and observability. Beyond basic resolution, they are expected to enforce policy, validate DNSSEC, and provide actionable telemetry.
The guide notes that comprehensive DNS logging is essential for detection and incident response, but also acknowledges the tradeoffs. Full query logging can introduce performance and storage challenges, so operators may need to adopt selective or structured logging approaches to balance visibility with operational cost.
Notably, the document extends these considerations to operational technology (OT) and Internet of Things (IoT) environments. In networks where endpoint security controls are limited, DNS can serve as a lightweight but effective layer for monitoring and restricting communications.
A practical guide for operators
Overall, the updated guidance reflects a more mature view of DNS operations, bringing together protective DNS, encryption, validation, and infrastructure design into a coherent operational model. For network operators, the message is clear: DNS is no longer just a naming system. It is a strategic control surface that underpins both security and resilience. Organizations that treat it accordingly, by integrating policy enforcement, ensuring visibility, and designing for robustness, will be better positioned to manage modern threats.
The full guide expands on areas such as DNS architecture, access control, abuse mitigation, and configuration management, and is well worth exploring in detail. The complete publication, including detailed appendices and references, is available as NIST Special Publication 800-81 Revision 3, Secure Domain Name System (DNS) Deployment Guide (March 2026)
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.