Guidance released on how to choose a Protective Domain Name System (PDNS) service to defend against malicious cyber activity like ransomware, phishing, botnets, and malware campaigns by blocking known-malicious domains.

Additionally organizations can use DNS query logs for incident response and threat hunting activities, said officials at the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) who released the Joint Cybersecurity Information (CSI) sheet.

PDNS is a security service that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.


Protecting users’ DNS queries is a key defense because attackers use domain names across the network exploitation lifecycle: Users frequently mistype domain names while attempting to navigate to a known-good website and unintentionally go to a malicious one instead; threat actors lace phishing emails with malicious links; a compromised device may seek commands from a remote command and control server; a threat actor may exfiltrate data from a compromised device to a remote host, according to the information sheet. The domain names associated with malicious content are often known or knowable, and preventing their resolution protects individual users and the enterprise.

Widely implemented DNS security enhancements – that address the integrity and authenticity of DNS records or support the privacy and integrity of client DNS queries and responses – do not address the trustworthiness of upstream DNS infrastructure that may be compromised or DNS registrations that may be maliciously provisioned, according to the information sheet.

To address this shortcoming, PDNS uses a policy-implementing DNS resolver that returns answers based on policy criteria. This is often called Response Policy Zone (RPZ) functionality in DNS documentation. The resolver usually checks both the domain name queries and the returned IP addresses against threat intelligence, and then prevents connections to known or suspected malicious sites. PDNS can also protect a user by redirecting the requesting application to a non-malicious site or returning a response that indicates no IP address was found for the domain queried. In addition, enterprise DNS resolvers still do not validate DNSSEC or support DoH/DoT, but many PDNS providers add these DNS security enhancements as well, according to the information sheet.

It should be noted one inherent constraint of PDNS is it is bypassed by any traffic using IP addresses directly without doing DNS lookups. For this reason, customers should not rely on it alone to detect and prevent malicious traffic. Some PDNS services may provide additional non-DNS related capabilities or integration with other security capabilities as well.

Click here to view the information sheet.