NIST DNS Security Best Practices: Top 5 Takeaways

Share On Facebook
Share On Twitter
Share On Linkedin

For years, DNS flew under the radar—quietly doing its job while rarely getting the security focus it warranted. But that’s changing. In March 2026 the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-81 DNS Security Best Practices1 that brings DNS security guidance in line with today’s threat landscape and operational realities. The update reflects growing recognition of DNS as both a vulnerability and a powerful security control—and it’s already influencing policy.

As cyber risks escalate and regulators respond, SP 800-81 is emerging as a key reference for building secure, resilient DNS infrastructure. Here are the top five takeaways from the new guidance.

1. It’s More than DNSSEC

The previous iteration of the DNS Security Best Practices guidance, published in 2013, largely focused on Domain Name System Security Extensions (DNSSEC)—the series of DNS extensions used to secure DNS zone transfers. While DNSSEC still plays an important role, NIST’s updated guidance expands the focus to include a broader set of best practices built around three core pillars:

  • Secure the DNS infrastructure
  • Ensure the integrity of the DNS system and configuration
  • Implement Protective DNS as a cybersecurity control

The new guidance provides a more complete blueprint, helping organizations both reduce DNS-related risks and use DNS as a tool for defense. With compliance mandates on the rise, SP 800-81 is arriving at just the right time. Its inclusion in the European Union’s NIS2 Directive2 is a clear sign of its growing influence.

2. DNS Is a Critical Component of Cyber Resiliency

Governments are actively legislating and developing policies to ensure cyber resiliency as a national security imperative. Yet, much of the technology guidance remains vague and DNS is often overlooked or merely assumed to be covered. In reality, many critical infrastructure organizations co-host critical services alongside essential services, like Microsoft’s Active Directory, creating complex interdependencies that current policies fail to address. To close this gap, Infoblox continues to engage with policymakers, advocating for the adoption of NIST’s DNS best practices as a foundation for building truly resilient systems.

3. DNS Is a Major Cybersecurity Risk

Threat actors love DNS. Why? Because it’s always available. Always trusted. And almost always ignored by cybersecurity operations teams.

Infoblox Threat Intel research is tracking thousands of threat actor clusters whose tactics vary depending on their role in the malware supply chain. Some, like Hazy Hawk and Horrid Hawk, exploit poorly configured DNS domains—hijacking them for use in malware campaigns. Others, like Loopy Lizard, register lookalike domains that impersonate trusted organizations to enhance phishing success rates.

These are just a few examples of how weak or unmanaged DNS infrastructure creates real risk. The updated NIST SP 800-81 guidance directly addresses these vulnerabilities—highlighting threats such as lame delegation—and reinforces the need for proactive DNS security.

4. DNS as a Cybersecurity Control

Protective DNS —where DNS servers are enriched with threat intelligence to block queries known to malicious domains—has been part of the DNS standard since 2010. Governments like the United States and the United Kingdom have embraced the approach, even coining the term from as early as 2017. Yet, despite its maturity, many organizations still fail to fully leverage DNS as an active cybersecurity control.

NIST SP 800-81 highlights not only the value of Protective DNS but the broader role DNS can play in incident response. DNS query and response data offer a rich source of telemetry—providing a reliable audit trail of what devices attempted to access, when and how. In the wake of a cybersecurity incident, this data becomes essential for correlating events, understanding exposure and accelerating response.

5. DNS Confidentiality

The lack of confidentiality for DNS has been a long-standing quirk of networking. While most web traffic is now encrypted, DNS requests have traditionally remained in clear text—an anomaly in an otherwise secure communication stack.

To address this, the Internet Engineering Task Force (IETF) has published a number of encrypted DNS standards, including DNS over TLS (DoT) and DNS over HTTPS (DoH). The U.S. government has even mandated the use of encrypted DNS for federal agencies.

It’s a welcome development to see encrypted DNS formally incorporated into the updated NIST best practices. But this isn’t just about encrypting user traffic. The guidance also calls out the need to detect and block rogue encrypted DNS requests—those that attempt to bypass security controls—and urges organizations to ensure their DNS infrastructure is appropriately sized to handle the additional processing demands of encrypted traffic.

Turning Guidance into Action

The revised NIST SP 800-81 guidance marks a pivotal shift in how DNS is viewed and managed within cybersecurity strategies. By recognizing DNS as both a risk and a powerful control point, it offers organizations a clear, actionable path toward greater resilience. As threats evolve and regulations tighten, aligning with these best practices isn’t just smart—it’s essential.

Not sure where to begin?

Start by understanding where you stand. With Infoblox Inspect, you can quickly benchmark your DNS environment against proven security best practices and uncover hidden risks.

From there, our experts can help you turn insight into action—guiding you through a structured remediation plan to close gaps and strengthen your defenses.

And to ensure lasting impact, we also offer Infoblox Security Workshops. These complimentary sessions equip your teams with the practical knowledge and principles needed to operationalize DNS security across your organization.

Assess. Improve. Operationalize. Start your DNS security journey today.

 

References

  1. NIST Special Publication 800-81r3 Secure Domain Name System (DNS) Deployment Guide, Rose, Scott, Liu, Cricket, Gibson, Ross, National Institute of Standards and Technology (NIST), March 2026.
  2. NIS2 Directive Technical Implementation Guidance, European Union Agency for Cybersecurity (ENISA), June 2025.

Labels:

Craig Sanderson

Principal Cyber Security Strategist at Infoblox

Craig Sanderson is the Principal Cyber Security Strategist at Infoblox. Craig has over 25 years of experience in the CyberSecurity industry with a broad array of roles ranging from consultancy, security architecture, business development and product management. Over the last seven years, Craig has been responsible for creating the vision, strategy and delivered the execution of the Infoblox BloxOne Threat Defense solution. He continues to be passionate about the role that DNS can play in delivering world class cyber security with a particular emphasis on how DNS can become the foundation for national and governmental Protective DNS solutions

View All Posts
×