Date Published: April 10, 2025
Comments Due:
Email Comments to:
Author(s)
Scott Rose (NIST), Cricket Liu (Infoblox), Ross Gibson (Infoblox)
Announcement
The Domain Name System (DNS) plays an integral role in every organization’s security posture by translating domain names into IP addresses. It can serve as an enforcement point for enterprise security policy and an indicator of potential malicious activity on a network. A disruption or attack against the DNS can impact an entire organization
NIST Special Publication (SP) 800-81r3 (Revision 3), Secure Domain Name System (DNS) Deployment Guide, describes the different roles of DNS and gives recommendations for protecting the integrity, availability, and confidentiality of DNS services, including:
- The role DNS plays in supporting a zero trust architecture, such as serving as both a policy enforcement point (PEP) and a source for information when evaluating access requests
- The role of hosting DNS information (authoritative DNS), including guidance on protecting the integrity and authenticity of DNS information using DNSSEC
- The role of recursive DNS, including guidance on protecting the confidentiality of client DNS queries
The public comment period is open through May 26, 2025. Additional information can be found on the NIST High Assurance Domains Project webpage.
This document provides Domain Name System (DNS) deployment guidelines to secure the DNS protocol and infrastructure, mitigate misuse or misconfiguration, and provide an additional layer of network security as part of a zero trust and/or defense-in-depth security risk management approach. This introduction briefly discusses relevant context for DNS and examines the changing threat landscape that has warranted an updated approach to DNS deployment.
This document provides Domain Name System (DNS) deployment guidelines to secure the DNS protocol and infrastructure, mitigate misuse or misconfiguration, and provide an additional layer of network security as part of a zero trust and/or defense-in-depth security risk management approach. This...
See full abstract
This document provides Domain Name System (DNS) deployment guidelines to secure the DNS protocol and infrastructure, mitigate misuse or misconfiguration, and provide an additional layer of network security as part of a zero trust and/or defense-in-depth security risk management approach. This introduction briefly discusses relevant context for DNS and examines the changing threat landscape that has warranted an updated approach to DNS deployment.
Hide full abstract
Keywords
Authoritative Name Server; DNS Logging; DNS Security Extensions (DNSSEC); Domain Name System (DNS); Encrypted DNS; Protective DNS; Recursive Name Server; Resource Record (RR)
Control Families
None selected
