惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
S
Secure Thoughts
月光博客
月光博客
美团技术团队
雷峰网
雷峰网
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Forbes - Security
Forbes - Security
W
WeLiveSecurity
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志
爱范儿
爱范儿
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AI
AI
Last Week in AI
Last Week in AI
Google Online Security Blog
Google Online Security Blog
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recent Announcements
Recent Announcements
Webroot Blog
Webroot Blog
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
N
News and Events Feed by Topic
罗磊的独立博客
The Register - Security
The Register - Security
Blog — PlanetScale
Blog — PlanetScale
T
Threat Research - Cisco Blogs
博客园 - 【当耐特】
Apple Machine Learning Research
Apple Machine Learning Research
人人都是产品经理
人人都是产品经理
T
The Exploit Database - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
B
Blog
腾讯CDC
Microsoft Azure Blog
Microsoft Azure Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hacker News: Front Page
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Engineering at Meta
Engineering at Meta
Latest news
Latest news
IT之家
IT之家
D
DataBreaches.Net
博客园 - 司徒正美
N
Netflix TechBlog - Medium
V
V2EX
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知

Infoblox Blog

Oracle Cloud Discovery for Universal Asset Insights | Infoblox Why Asset Discovery Integrations Start with Network Intelligence Infoblox Kentik Acquisition: AI-Driven Network and Security Intelligence Proxyware actor behind fake 7-Zip is bigger than you think! Using Protective DNS to Dismantle Global Scam Networks | Infosecurity Europe 2026 Residential Proxies: Why DNS Is the Stronger Play NIST Maps DNS Security to the Cybersecurity Framework 2.0 Trusted Infrastructure Data for AI and AgenticOps | Infoblox Meet Your Security Analyst’s New AI Teammate | Infoblox IQ DCloud Uni-App: One Framework, 236,000+ Scam Sites Operation Endgame VS SocGholish Fake Updates Human Judgment Hacks: How Lookalike Domains Work Residential Proxies in the Wild Unlocking Universal DDI on Equinix: Infoblox Brings Cloud-First DDI to Equinix Network Edge “Headless”? What Is It and Do I Need to Go There? The Alert Is Already Too Late The Half of Your Attack Surface Nobody Owns Infoblox Earns Terraform Partner Premier Status for NIOS Provider What 550 Security Leaders Just Told Us about the Age of AI, and Why Preemptive Digital Risk Protection Can’t Wait Lookalike Domains Expose the iPhone Theft Economy Amusing Numerology: Analysis of the Numbers in Domain Names 4 Trends Shaping the Future of Network Operations Preemptive Threat Disruption at Scale: How Infoblox and Axur Turn External Risk into Protection Why the Axur Acquisition Marks a Turning Point for Preemptive Security Don’t Wait To Be Attacked: Stop Phishing, C2 and Data Exfiltration with Infoblox Threat Intelligence in AWS Network Firewall Hold the Phone! International Revenue Share Fraud Driven by Fake CAPTCHAs AI, Project Glasswing and DNS: Beyond Vulnerabilities Three Infoblox Integrations with Google Cloud That Give Enterprise Teams More Control Over Their Networks Protective DNS: Why Telcos Are Turning to DNS as the Platform for Consumer Security Automating Infoblox DDI with Red Hat Ansible | Configuration as Code for DNS, DHCP and IPAM Hiding in Plain Sight: Abusing Composite Domain Names What You Cannot See is Hurting You Most NIST SP 800-81r3: A Long-Overdue Wake-Up Call for DNS Security Patterns, Pirates, and Provider Action: What We Learned Working with Keitaro No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution Unified Asset Visibility: A Strategic Imperative for CIOs and CISOs Infoblox Partners with Leading SASE Vendors to Modernize DNS and DHCP for Distributed Enterprises NIST DNS Security Best Practices: Top 5 Takeaways Break out the bubbly: NIST SP 800-81r3 has been published! Empowering Women to Lead in APJ: Infoblox at the Leadership Summit for Women in Technology, AI & Cyber
NIST SP 800-81r3: What’s New?
Ross Gibson · 2026-03-31 · via Infoblox Blog

Now that the National Institute of Standards and Technology (NIST) has published a new version of the Secure DNS Deployment Guide, Special Publication (SP) 800-81 (SP 800-81r3), you may have several questions in mind, such as “How is this version different than version 2?”, “What do those changes mean for me?”, “What actions do I need to take?” and “What should I have for dinner?” (Wait, how did that last one get in there?)

If you have questions like these, then you are in the right place, because I’m going to walk you through some major changes between version 2 and version 3. As my esteemed colleague, Cricket Liu wrote when announcing the release of the draft, SP 800-81 “has been an indispensable document for DNS administrators both inside and outside the U.S. federal government since the publication of its original version in May 2006.” If you need a bit more historical context before digging in, there is another great blog entry from Jim Mozley answering some FAQs about the role of SP 800-81 that is well worth reading.

How Is Version 3 Different?

One thing that is immediately noticeable is that the new version is significantly shorter than prior ones (you’re welcome). When Cricket and I first had the opportunity to speak with Scott Rose, an author of all the prior versions, he expressed the desire to make the new version shorter, so we attacked the text aiming to inflict more than just a flesh wound. A key goal was to focus on strategic concepts instead of specific implementation details and refer to relevant protocol standards rather than restate everything in SP 800-81. A shorter way of saying this would be to shift to more of the “why” and “what” than the “how.”

In most cases, specific configuration details are left to the documentation of the software an organization happens to use, rather than included in the new SP 800-81. Given how quickly software changes (have you patched your MS servers this week?), it makes sense for a document like SP 800-81 to provide general direction that won’t require constant updates to keep pace with newer and (hopefully) better tools.

What’s New?

The new version expands beyond merely securing DNS infrastructure into how DNS can serve as a foundational security tool, especially in zero-trust environments. Some key topics covered are Protective DNS, encrypted DNS (e.g., DoT, DoH, and DoQ), and DNS hygiene. Let’s run through each of these briefly to provide a bit more color.

Protective DNS

A Protective DNS (“PDNS”—not to be confused with passive DNS’s “pDNS” acronym, sigh) system is one that uses DNS as a policy evaluation and enforcement point within a network. PDNS integrates threat intelligence into the DNS infrastructure as well as analytical evaluation of traffic to determine whether or not each DNS query should be resolved as-is or if different actions are necessary. Because a DNS query is the initiation point of nearly all network communications, PDNS is the ideal point to disrupt potentially malicious communications as early as possible. Given the current threat landscape, any organization with an Internet-connected network should be leveraging PDNS in some fashion.

Encrypted DNS

Since the prior version of SP 800-81, multiple standards for encrypted DNS have been developed. The three key approaches are DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ). Each of these standards focuses on encrypting the DNS communications between client devices (i.e., stub resolvers) and their recursive DNS server (solving the “last mile” problem). While privacy was a leading focus of developing these technologies, they also protect those communications from tampering. However, there is a cost that comes with encrypting DNS communications: It can prevent network administrators from monitoring and filtering traffic, and it can also help threat actors more effectively hide their communications over DNS.

At the moment, DoT, DoH, and DoQ only address client-to-server communications, but there are efforts underway that may facilitate the use of these protocols for server-to-server communications (e.g., the DELEG record and authoritative DoT (ADoT)). Chances are, your users are already using encrypted DNS, because many modern web browsers come with this feature enabled. Encrypted DNS is here to stay, and organizations must plan for it within their environment.

DNS Hygiene

Unfortunately, DNS is one of those “hot potato” technologies that everyone wants to own but no one wants to take care of. If “cleanliness is next to godliness,” then neglecting your DNS is a surefire way to a special kind of tech hell. The concept of DNS hygiene shines a light on how failing to keep an organization’s DNS data as tidy as possible presents significant security risks. Managing the lifecycle of DNS data is a team sport, as is Internet security. It is everyone’s responsibility to ensure that all related DNS records are decommissioned alongside the systems they point to, so they don’t become stale DNS records.

By closely managing an organization’s DNS data, administrators can minimize the risk of threats due to lame delegations, dangling CNAMEs, and lookalike domains. Put the effort in today to keep your DNS records clean and tidy. Your future self will thank you.

What Should I Do Next?

If you haven’t already, download and review the new version of SP 800-81. For those portions that are applicable to your current environment, consider what gaps there are versus the recommendations. If you have questions, especially about how you could go about implementing some of the recommendations, reach out to your Infoblox solutions architect (SA) to start a discussion, and if the SA has questions, they know where to find me.

Principal Global Subject Matter Expert, Infoblox,

Ross Gibson is a Principal Global Subject Matter Expert at Infoblox, where he advises organizations worldwide on DNS architecture, global server load balancing, DNS security, and core network services. He is a co-author of NIST SP 800-81 Rev. 3, Secure Domain Name System (DNS) Deployment Guide, and of the book The Hidden Potential of DNS in Security. His expertise spans core network services, including DNS, DHCP, and IPAM, as well as routing, switching, and network security. Prior to joining Infoblox, Ross was the Lead Platform Engineer for DNS and DHCP at Capital One. He is based in Richmond, Virginia.

View All Posts