DNS Security Best Practices from NIST SP 800-81r3 ipd | WhoisXML API
Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Multi-Level API User Administration Now Available - Manage individual API keys for team members in your organization.

Learn More
×
Contact Us
Read other articles Download PDF

DNS Security Best Practices from the NIST Secure Deployment Guide (SP 800-81r3 Initial Public Draft)

Often dubbed as the Internet’s phonebook, the DNS serves a critical function in modern Internet communications, translating human-readable domain names into IP addresses. We have a primer on the subject if you want to dig deeper into the DNS, how it works, and other related concepts.

Given its foundational role, it’s no surprise that threat actors often target the DNS. According to the Cybersecurity & Infrastructure Security Agency (CISA), “DNS infrastructures are common threat vectors for attacks.” It is within this context that the U.S. National Institute of Standards and Technology (NIST) published an initial public draft of the third Secure DNS Deployment Guide (NIST SP 800-81r3 ipd) in April 2025.

The document provides guidelines for securing the DNS, which is crucial since any compromise to the infrastructure can ripple across an organization and lead to severe consequences that impact its operational availability, data integrity, and overall security posture. In this post, we’ll share some of the key takeaways from the third revision of the NIST publication.

What Is NIST SP 800?

NIST SP 800 is a document that provides comprehensive guidelines and recommendations designed to mitigate evolving threats targeting DNS services. It was originally published in May 2006 and revised in April 2010 (Revision 1) to provide cryptographic guidance and other recommendations applicable at that time.

The second revision was published in September 2013, mainly focusing on preventing denial-of-service (DoS) attacks that exploit vulnerabilities in the DNS. NIST SP 800-81r3 ipd is the latest draft of the third revision of NIST SP 800-81.

Throughout the years, the publication addresses key security objectives:

  • Ensuring the integrity of DNS data
  • Maintaining the availability of DNS services
  • Protecting the confidentiality of DNS queries

NIST SP 800-81 guides any organization using the DNS, though more specifically those in the government, critical infrastructure, financial services, healthcare, telecommunications, and technology sectors. It is geared toward cybersecurity decision-makers and teams in these industries.

Having just closed its public comment period on 26 May 2025, NIST SP 800-81r3 is now in its review phase. However, we can already glean major insights from the guidelines.

NIST Guidelines for Securing the DNS

One of the central propositions of NIST SP 800-81r3 ipd is for organizations to add the DNS as a component of their overall security strategy. This means shifting how organizations across all sectors look at the DNS—from merely a utility to translate domain names into IP addresses that needs protection to an active security component within a network architecture.

The publication outlined specific guidelines and methods for protecting the DNS protocol, DNS services, and infrastructures through encryption, logging, and several best practices. However, among those that stood out is the proposed implementation of Protective DNS with a workflow that can look a lot like this:

NIST Secure Deployment Guide: Protective DNS Workflow

What Is Protective DNS?

NIST defines Protective DNS as “a DNS service enhanced with security capabilities to analyze DNS queries and responses and take action to mitigate threats.” It further describes very specific goals or outcomes organizations should expect after deploying Protective DNS, which include:

  • Stop harmful traffic by blocking malicious domain names at the point of domain name resolution, before attacks even start.
  • Use the DNS to block websites that belong to categories that don’t meet your organization’s rules or are known to be malicious.
  • Provide real-time and historical DNS data to help with digital forensics and handling security incidents.
  • Integrate DNS with the overall security ecosystem—an example is linking the IP addresses of blocked queries to specific devices and users.
  • Block access to disallowed sites (e.g., copyright violations, legal restrictions) to comply with regulations or contracts.

These outcomes entail a number of approaches and techniques, including threat intelligence, name resolution filtering, and real-time and historical DNS data monitoring.

Threat Intelligence-Powered DNS

Enhancing DNS with threat intelligence is another reform proposed in the NIST SP 800-81r3. While the DNS was originally designed for functionality rather than security, new threats and attack surface expansion have required the security community to make the DNS a crucial security control point.

However, Protective DNS takes this a step further by pushing for the integration of threat intelligence into DNS resolvers to analyze DNS queries and responses, enabling DNS infrastructures to immediately block access to malicious or suspicious traffic or redirect users to safe pages.

Name Resolution Filtering

Protective DNS implementation involves refusing to resolve several types of domain names. These typically include known malicious domains, such as those associated with phishing or malware command-and-control (C&C) servers, which are identified through block lists and threat intelligence feeds. It also extends to domains belonging to unwanted or dangerous website categories, essentially blocking traffic based on an organization’s policies or matching it against lists of known bad actors.

Organizations should also be wary of suspicious newly registered domains (NRDs) and typosquatting or look-alike domains that attempt to impersonate legitimate organizations. NIST is pushing for continuous monitoring processes to validate the integrity of public domains and proactively increase visibility into impersonation attempts. 

As a common best practice, organizations are encouraged to monitor new DNS registrations to detect this attack vector and, if possible, defensively register look-alike domains.

Real-Time and Historical DNS Data for Digital Forensics and Incident Response

The NIST publication stresses the importance of having both real-time and historical DNS query and response data since these are crucial to digital forensics and incident response teams.

Organizations are urged to have a reliable and comprehensive record of DNS activity since this helps response teams and investigators understand the timeline of events during a security incident and identify patterns of malicious activity that may have occurred in the past.

For better insights, DNS logs should be combined with other system logs, such as those from cloud systems and device or user activity logs. Organizations can further boost visibility and make audits easier by also integrating passive DNS data for a more holistic view of security events. This gives security teams a more complete picture of security events, helping them identify relationships between global DNS activity and what’s happening in their systems.

Conclusion

The latest revision of NIST SP 800 continues to adapt to today’s cybersecurity challenges and new technologies. It adds another layer of network security to the DNS, fitting right into the zero-trust approach—the “trust none, verify all” principle that cybersecurity professionals all over the world are advocating to become the new cybersecurity standard.

Protective DNS, combined with the principles of zero trust and other best practices outlined in the NIST publication, means fewer blind spots and a better chance to stop attacks before they can cause real damage.

Learn how our intelligence solutions can help your organization align with the latest version of NIST SP 800. Contact us now for more information about our data solutions.

Related posts
Read other articles Download PDF
Try our WhoisXML API for free
Get started