Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Disruptive By Design: Shutting the Door on Attackers: Operationalizing Secure DNS Principles

Titilayo Shodiya holds an M.S. in electrical and computer engineering and a Ph.D. in mechanical engineering and materials science, both from Duke University. She is currently a public policy technical manager at Infoblox. Prior to joining the Infoblox team,she held a range of technical and leadership roles at the National Institute of Standards and Technology.
By Titilayo Shodiya
Titilayo Shodiya explains the importance of securing your domain name system (DNS) infrastructure. Credit: wladimir1804-stock.adobe.com
Titilayo Shodiya explains the importance of securing your domain name system (DNS) infrastructure. Credit: wladimir1804-stock.adobe.com

As you’re reading this, hackers are likely attacking the public-facing component of your network. But don’t worry—the front door of your network, its domain name system (DNS) infrastructure, blocks them. DNS may once have been considered a straightforward networking protocol, but now it is recognized as the foundation for any effective security posture, including zero-trust implementations.

Modern cybersecurity demands that the defense base treat DNS as a strategic control point. The Cybersecurity and Infrastructure Security Agency, or CISA, has said that “DNS infrastructure is a common threat vector for attack campaigns.” 

According to former U.S. cybersecurity official Anne Neuberger, “92% of malware attacks exploit DNS infrastructure in some capacity.” 

Adversaries routinely exploit DNS for command-and-control, data exfiltration, phishing and denial-of-service attacks, so a shift in the perception of DNS as a first line of defense is critical for every command.  

New DNS Guidance From the National Institute of Standards and Technology (NIST)
DNS sits at the beginning of almost every network transaction. It provides a unique vantage point for detecting malicious activity and enforcing policy before other security tools even come into play. To unlock DNS’s defensive potential, defense agencies and organizations require actionable guidance to deliver trustworthy resolution, consistent protection and strong visibility across distributed environments and evolving threats.

That’s why NIST decided to update its guidance for DNS in 2025, the first such update in 12 years. With the release of NIST Special Publication 800-81 Revision 3, The Secure Domain Name System Deployment Guide, military chief information officers (CIOs) now have clear guidance on treating DNS as a core element of security and resiliency rather than simply a network connectivity tool.

In fact, NIST SP 800-81r3 reframes DNS as “a foundational layer of network security in zero trust and defense-in-depth security risk management approaches.”

 

 

 

 

 

 

 

Future-Proofing With DNS
NIST’s updated best practices outline three foundational pillars for achieving secure DNS: employing protective DNS (PDNS), protecting the DNS protocol and protecting the DNS service and infrastructure.

NIST updates the goals and outcomes for deploying PDNS, which analyzes DNS queries and blocks harmful traffic in real time, before it can wreak havoc on network infrastructure. PDNS prevents access to malware, ransomware, phishing attacks, viruses, malicious sites and spyware at the source. This delivers visibility into DNS query and response data, speeding time to detection and prevention.

Encryption protects the DNS protocol from being seen or manipulated by third parties. Protecting the protocol means encrypting DNS traffic and ensuring DNS hygiene—safeguarding against sophisticated “lookalike” domains that maliciously impersonate target organizations.

Protecting DNS infrastructure can be accomplished by enforcing “separation of duties” from other mission-critical services, and by deploying dedicated, resilient DNS servers to minimize shared vulnerabilities and reduce the attack surface.  

Five Steps To Achieve Secure DNS
CIOs can take steps right now to operationalize the recommendations of SP 800-81r3 and turn DNS from a vulnerability into a first line of defense:

  1. Enforce separation of duties. 
  2. Deploy PDNS to block malicious lookups in real time and integrate DNS telemetry with security operations center tools for more effective incident response.
  3. Deploy encrypted DNS.
  4. Implement domain name system security extensions. 
  5. Stand up a continuous DNS hygiene program to monitor and remediate lookalike domains and other exploitation tactics.

Implementing secure DNS principles is a prerequisite for an effective zero-trust architecture. It offers a unique opportunity to enforce policy, detect threats and inform access decisions before a connection is ever established. Without secure DNS, zero-trust strategies will fall short. 

By operationalizing the secure DNS pillars outlined in SP 800-81r3, defense organizations can strengthen mission resilience, mitigate exposure to common threat vectors, and advance their progress toward achieving zero-trust outcomes.

Comments

The content of this field is kept private and will not be shown publicly.
About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA