惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Troy Hunt's Blog
Scott Helme
Scott Helme
T
Threat Research - Cisco Blogs
T
Tenable Blog
L
LINUX DO - 热门话题
V
Visual Studio Blog
I
Intezer
Blog — PlanetScale
Blog — PlanetScale
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
aimingoo的专栏
aimingoo的专栏
Know Your Adversary
Know Your Adversary
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
N
Netflix TechBlog - Medium
SecWiki News
SecWiki News
I
InfoQ
Microsoft Security Blog
Microsoft Security Blog
Project Zero
Project Zero
W
WeLiveSecurity
Microsoft Azure Blog
Microsoft Azure Blog
A
About on SuperTechFans
Recorded Future
Recorded Future
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Vercel News
Vercel News
S
Securelist
Spread Privacy
Spread Privacy
L
LangChain Blog
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
MongoDB | Blog
MongoDB | Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
罗磊的独立博客
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
The Last Watchdog
The Last Watchdog
Attack and Defense Labs
Attack and Defense Labs
博客园 - 司徒正美
Help Net Security
Help Net Security
L
Lohrmann on Cybersecurity
人人都是产品经理
人人都是产品经理
Forbes - Security
Forbes - Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
PCI Perspectives
PCI Perspectives
博客园 - 【当耐特】
T
Tor Project blog

Infoblox Blog

Oracle Cloud Discovery for Universal Asset Insights | Infoblox Why Asset Discovery Integrations Start with Network Intelligence Infoblox Kentik Acquisition: AI-Driven Network and Security Intelligence Proxyware actor behind fake 7-Zip is bigger than you think! Using Protective DNS to Dismantle Global Scam Networks | Infosecurity Europe 2026 Residential Proxies: Why DNS Is the Stronger Play NIST Maps DNS Security to the Cybersecurity Framework 2.0 Trusted Infrastructure Data for AI and AgenticOps | Infoblox Meet Your Security Analyst’s New AI Teammate | Infoblox IQ DCloud Uni-App: One Framework, 236,000+ Scam Sites Operation Endgame VS SocGholish Fake Updates Human Judgment Hacks: How Lookalike Domains Work Residential Proxies in the Wild Unlocking Universal DDI on Equinix: Infoblox Brings Cloud-First DDI to Equinix Network Edge “Headless”? What Is It and Do I Need to Go There? The Alert Is Already Too Late The Half of Your Attack Surface Nobody Owns Infoblox Earns Terraform Partner Premier Status for NIOS Provider What 550 Security Leaders Just Told Us about the Age of AI, and Why Preemptive Digital Risk Protection Can’t Wait Lookalike Domains Expose the iPhone Theft Economy Amusing Numerology: Analysis of the Numbers in Domain Names 4 Trends Shaping the Future of Network Operations Preemptive Threat Disruption at Scale: How Infoblox and Axur Turn External Risk into Protection Why the Axur Acquisition Marks a Turning Point for Preemptive Security Don’t Wait To Be Attacked: Stop Phishing, C2 and Data Exfiltration with Infoblox Threat Intelligence in AWS Network Firewall Hold the Phone! International Revenue Share Fraud Driven by Fake CAPTCHAs AI, Project Glasswing and DNS: Beyond Vulnerabilities Three Infoblox Integrations with Google Cloud That Give Enterprise Teams More Control Over Their Networks Protective DNS: Why Telcos Are Turning to DNS as the Platform for Consumer Security Automating Infoblox DDI with Red Hat Ansible | Configuration as Code for DNS, DHCP and IPAM Hiding in Plain Sight: Abusing Composite Domain Names What You Cannot See is Hurting You Most Patterns, Pirates, and Provider Action: What We Learned Working with Keitaro NIST SP 800-81r3: What’s New? No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution Unified Asset Visibility: A Strategic Imperative for CIOs and CISOs Infoblox Partners with Leading SASE Vendors to Modernize DNS and DHCP for Distributed Enterprises NIST DNS Security Best Practices: Top 5 Takeaways Break out the bubbly: NIST SP 800-81r3 has been published! Empowering Women to Lead in APJ: Infoblox at the Leadership Summit for Women in Technology, AI & Cyber
NIST SP 800-81r3: A Long-Overdue Wake-Up Call for DNS Security
Craig Sanderson · 2026-04-01 · via Infoblox Blog

The release of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-81 Revision 3 marks a pivotal moment for the cybersecurity and networking community. For years, SP 800-81 has been regarded as the gold standard for DNS deployment and operational best practices. But until now, it lagged behind the rapid evolution of both the DNS protocol and the threat landscape.

That gap has finally been addressed.

Why This Update Matters

DNS remains one of the most critical—and paradoxically overlooked—services in modern IT environments. It underpins every digital interaction, yet too often operates quietly in the background, escaping the scrutiny applied to other parts of the security stack.

NIST SP 800-81r3 changes that dynamic.

This revision incorporates years of innovation in DNS technology, including:

  • The rise of encrypted DNS (DoH, DoT) to protect user privacy and integrity
  • Advances in DNS security controls and architectures
  • Recognition of DNS as a strategic control plane, not just a utility service

Crucially, it also acknowledges the emerging role DNS will play in AI-enabled enterprises. With initiatives like the Internet Engineering Task Force (IETF) DNS for AI Discovery (DNSAID) draft, DNS is evolving into a foundational layer for service discovery, orchestration and trust in AI-driven environments.

In short, DNS is no longer just infrastructure. It is becoming mission-critical intelligence infrastructure.

For full details, see the updated NIST guidance: NIST SP 800-81r3

The Growing Risk of Ignoring DNS

Despite its importance, DNS continues to “fly under the radar” in many organizations.

  • Network and IT teams focus on availability and performance
  • Security teams often lack visibility into DNS risks and controls

This disconnect creates a dangerous blind spot.

We’ve already seen what happens when DNS fails or is exploited. The large-scale disruptions affecting major cloud providers like Azure and AWS in October 2025 demonstrated how systemic DNS issues can cascade into widespread outages. At the same time, threat actors are increasingly targeting DNS for command and control, data exfiltration and evasion.

For many organizations, DNS risk remains hidden—until it suddenly isn’t.

Protective DNS: From Niche to National Strategy

One of the most significant shifts reflected in SP 800-81r3 is the growing importance of Protective DNS (PDNS) as a frontline cybersecurity control.

Governments around the world are already moving in this direction:

This is not a coincidence. Protective DNS provides a scalable, preventative control that can stop threats before they reach endpoints or users.

NIST’s updated guidance reinforces what many national cybersecurity agencies already recognize: DNS is one of the most effective—and underutilized—security enforcement points available.

The “Tick-Box” Trap in DNS Security

Despite growing awareness, many organizations have approached DNS security as a feature to be enabled, rather than a discipline to be engineered.

A common pattern is the reliance on existing security platforms, such as firewalls or secure web gateways, to provide “good enough” DNS protection. While these tools may offer DNS-related features, they were not designed to address the full scope of DNS risk.

This has led to a false sense of security.

NIST SP 800-81r3 makes it clear that DNS security is far broader and more complex than a single control point. It spans:

  • Architecture and infrastructure design
  • Availability and resilience engineering
  • Data integrity and trust (e.g., DNSSEC)
  • Privacy protections (e.g., encrypted DNS)
  • Threat detection and prevention (e.g., Protective DNS)
  • Operational visibility and governance

In other words, DNS security is not something that can be “bolted on.”

This shift is particularly important in the context of evolving regulation. Increasingly, regulators are focusing on outcomes—resilience, risk reduction and service continuity—rather than box-ticking exercises.

Organizations that rely on partial or superficial controls will struggle to demonstrate those outcomes.

To meet both the spirit and the letter of emerging requirements, organizations must adopt a holistic view of DNS security; one that aligns with the breadth of guidance outlined in SP 800-81r3.

Regulation Is Catching Up

If organizations haven’t yet prioritized DNS security, regulation may soon force the issue.

The European Union’s NIS2 Directive explicitly references NIST SP 800-81, cementing its position as the global benchmark for DNS best practices. This has significant implications:

  • Over 180,000 organizations fall within the scope of NIS2.
  • DNS will need to be addressed as part of cybersecurity and resilience strategies.
  • National regulators are likely to adopt and enforce these best practices.

And this is just the beginning.

In the United Kingdom, the proposed Cyber Security and Resilience Bill signals a significant shift in how cyber risk will be regulated, particularly for critical infrastructure and essential digital services.

As this framework evolves, it is expected to drive more detailed technical expectations for organizations operating critical services. Given the central role DNS plays in those systems, it is difficult to envisage a scenario where DNS is not explicitly addressed, and where globally recognized best practices, such as those outlined in NIST SP 800-81r3, are not reflected in future guidance.

More broadly, there is a growing opportunity for regulators globally to align around common frameworks like SP 800-81r3. Doing so would bring:

  • Consistency across jurisdictions
  • Clarity for organizations navigating compliance
  • Stronger security and resilience outcomes at both technical and business levels

A Critical Moment for Re-Evaluation

The release of SP 800-81r3 should serve as a clear signal:

Now is the time to re-evaluate your DNS security strategy.

Organizations need to ask themselves:

  • Do we have visibility into DNS activity across our environment?
  • Are we leveraging DNS as a proactive security control?
  • Is our architecture aligned with modern best practices and emerging standards?
  • Are we prepared for regulatory expectations tied to DNS resilience?

For many, the honest answer will be “not yet.”

Infoblox’s Role in Advancing DNS Best Practices

At Infoblox, we have long recognized the critical role DNS plays in cybersecurity and resilience. We were proud to collaborate with NIST in shaping practical, real-world guidance reflected in SP 800-81r3.

Our focus has been on ensuring that best practices are not just theoretical, but actionable and effective in real enterprise environments.

This includes:

  • Operationalizing Protective DNS at scale
  • Bridging the gap between network and security teams
  • Enabling organizations to translate guidance into measurable resilience outcomes

Final Thoughts

NIST SP 800-81r3 is more than just an update. It is a reset moment for how organizations think about DNS.

It highlights a reality that can no longer be ignored:

  • DNS is foundational to cybersecurity
  • DNS is critical to resilience
  • DNS will be central to the future of AI-driven networks

Organizations that act now can turn DNS into a strategic advantage.

Those that don’t may soon find themselves catching up under pressure from regulators, or worse, in response to an incident.

How Infoblox Can Help

Understanding and implementing DNS best practices can be complex but organizations don’t have to tackle it alone.

Infoblox works with enterprises globally to translate guidance like NIST SP 800-81r3 into practical, measurable outcomes.

We can support your journey in two key ways:

  • DNS Security Assessments with Infoblox Inspect
    Gain immediate visibility into your DNS risk posture and configuration gaps using Infoblox Inspect.
  • Free DNS Security Workshops
    Bring your IT and security teams together to understand modern DNS threats, best practices and how to operationalize them effectively.

These engagements are designed to help organizations move beyond theory, building a holistic, resilient DNS security strategy aligned with both best practices and emerging regulatory expectations.