The latest update to DNS security guidance from the National Institute of Standards and Technology (NIST) marks a new in how organizations are expected to secure one of the internet’s most critical systems. Published as NIST SP 800-81r3, this revision replaces the previous 2013 version, ending a gap of more than twelve years without major federal updates in this area.
DNS, or the Domain Name System, plays a foundational role in virtually every network connection. Despite this, its security practices have historically lagged behind other parts of enterprise infrastructure. With SP 800-81r3, NIST brings modern threats, technologies, and operational realities into focus, offering updated DNS security guidance for both leadership and technical teams.
A Modern Approach to DNS Security Guidance
The revised NIST SP 800-81r3 document is structured around three core pillars: using DNS as a proactive security control, strengthening the DNS protocol itself, and securing the infrastructure that supports DNS services. Importantly, the guidance is tailored for two audiences: executives making strategic cybersecurity decisions, and the operational teams responsible for implementation and maintenance.
One of the most notable shifts in this DNS security guidance is the emphasis on DNS as more than just a lookup service. Instead, it is positioned as an active enforcement layer capable of detecting and mitigating threats in real time.
Protective DNS Takes Center Stage
A major highlight of SP 800-81r3 is its focus on “protective DNS.” This concept refers to DNS services enhanced with security capabilities that can inspect queries and responses, block malicious domains, filter content categories, and generate logs for forensic analysis and incident response.
The document outlines two primary deployment models:
- Cloud-based protective DNS services
- On-premises solutions using DNS firewalls or Response Policy Zones (RPZs)
NIST recommends a hybrid approach wherever possible, noting that combining cloud services with on-premises fallback ensures resilience even during outages. The DNS security guidance also stresses integrating DNS logs with SIEM platforms and correlating them with DHCP lease data to map activity to specific devices during investigations.
Encrypted DNS Reshapes Network Visibility
Another major area covered in NIST SP 800-81r3 is encrypted with DNS. The document discusses three key protocols:
- DNS over TLS (DoT) on TCP port 853
- DNS over HTTPS (DoH) on TCP/UDP port 443
- DNS over QUIC (DoQ) on UDP port 853
These protocols encrypt communication between clients and DNS resolvers, improving privacy and integrity. However, they also shift the security burden. NIST mandates encrypted DNS for U.S. federal civilian agencies wherever technically feasible. At the same time, the DNS security guidance warns that organizations must configure browsers and applications carefully to ensure they do not bypass internal DNS controls.
To maintain control, the guidance recommends:
- Blocking unauthorized DoT traffic via TCP port 853
- Restricting DoH using firewall rules and RPZs
- Using mobile device management tools to enforce DNS settings
Updated DNSSEC and Cryptographic Practices
The SP 800-81r3 update also modernizes DNSSEC recommendations. It aligns supported algorithms with RFC 8624 and NIST SP 800-57, including:
- RSA with SHA-256
- ECDSA P-256 and P-384
- Ed25519 and Ed448
The guidance favors ECDSA and Edwards-curve algorithms due to their smaller key sizes, which help keep DNS responses efficient and avoid fallback to TCP.
Key management is another focus. DNSSEC signing keys should have lifetimes of one to three years, while RRSIG validity should remain short, around five to seven days, to limit exposure if a key is compromised. Hardware security modules are recommended for safeguarding private keys.
Interestingly, the document prefers NSEC over NSEC3 for authenticated denial of existence, noting that NSEC3’s added computational cost often outweighs its benefits. However, organizations required to use NSEC3 are directed to RFC 9276 for safer parameter configurations.
Post-quantum cryptography is not yet included, but NIST advises organizations to prepare for future migration.
Strengthening DNS Infrastructure and Operations
Beyond protocols, this DNS security guidance dives into operational risks. It highlights issues such as:
- Dangling CNAME records, which can allow attackers to take control of unresolved domains
- Lame delegations, where DNS authority is misconfigured
To mitigate these risks, organizations are encouraged to monitor domain registrations for typosquatting and maintain retired domains in a parked state to prevent malicious reuse.
TTL values are also addressed, with recommendations ranging from 1,800 seconds (30 minutes) to 86,400 seconds (one day). A TTL of zero is explicitly prohibited, and values below 30 seconds are discouraged for DNSSEC-signed records.
Architecture and Availability Best Practices
Finally, NIST SP 800-81r3 reinforces architectural best practices. It strongly advises separating authoritative and recursive DNS functions on internet-facing servers, as combining them introduces security risks.
Other recommendations include:
- Deploying at least two authoritative servers on separate networks
- Distributing servers geographically across multiple sites
- Using a hidden primary server to reduce exposure to attacks
Dedicated infrastructure for DNS is preferred to minimize the attack surface and ensure sufficient resources for logging and security features. Where full separation is not feasible, combining DNS with closely related services like DHCP is considered acceptable.
Overall, this updated DNS security guidance from NIST represents a comprehensive modernization of how organizations should approach DNS. With SP 800-81r3, DNS is no longer treated as a passive service but as a central pillar of enterprise cybersecurity strategy.
