惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Forbes - Security
Forbes - Security
A
Arctic Wolf
M
MIT News - Artificial intelligence
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
C
CERT Recently Published Vulnerability Notes
NISL@THU
NISL@THU
L
Lohrmann on Cybersecurity
Martin Fowler
Martin Fowler
A
About on SuperTechFans
P
Palo Alto Networks Blog
Project Zero
Project Zero
The GitHub Blog
The GitHub Blog
WordPress大学
WordPress大学
Blog — PlanetScale
Blog — PlanetScale
博客园_首页
大猫的无限游戏
大猫的无限游戏
Cisco Talos Blog
Cisco Talos Blog
P
Proofpoint News Feed
D
DataBreaches.Net
Cyberwarzone
Cyberwarzone
T
Tor Project blog
IT之家
IT之家
P
Proofpoint News Feed
Help Net Security
Help Net Security
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CXSECURITY Database RSS Feed - CXSecurity.com
Microsoft Azure Blog
Microsoft Azure Blog
V2EX - 技术
V2EX - 技术
K
Kaspersky official blog
Hugging Face - Blog
Hugging Face - Blog
MongoDB | Blog
MongoDB | Blog
B
Blog
N
News and Events Feed by Topic
The Cloudflare Blog
S
Schneier on Security
P
Privacy & Cybersecurity Law Blog
T
The Blog of Author Tim Ferriss
Recorded Future
Recorded Future
Last Week in AI
Last Week in AI
The Last Watchdog
The Last Watchdog
Hacker News - Newest:
Hacker News - Newest: "LLM"
L
LangChain Blog
I
InfoQ
F
Full Disclosure
The Register - Security
The Register - Security
阮一峰的网络日志
阮一峰的网络日志
H
Hacker News: Front Page
V
V2EX

Infoblox Blog

Oracle Cloud Discovery for Universal Asset Insights | Infoblox Why Asset Discovery Integrations Start with Network Intelligence Infoblox Kentik Acquisition: AI-Driven Network and Security Intelligence Proxyware actor behind fake 7-Zip is bigger than you think! Using Protective DNS to Dismantle Global Scam Networks | Infosecurity Europe 2026 Residential Proxies: Why DNS Is the Stronger Play NIST Maps DNS Security to the Cybersecurity Framework 2.0 Trusted Infrastructure Data for AI and AgenticOps | Infoblox Meet Your Security Analyst’s New AI Teammate | Infoblox IQ DCloud Uni-App: One Framework, 236,000+ Scam Sites Operation Endgame VS SocGholish Fake Updates Human Judgment Hacks: How Lookalike Domains Work Residential Proxies in the Wild Unlocking Universal DDI on Equinix: Infoblox Brings Cloud-First DDI to Equinix Network Edge “Headless”? What Is It and Do I Need to Go There? The Alert Is Already Too Late The Half of Your Attack Surface Nobody Owns Infoblox Earns Terraform Partner Premier Status for NIOS Provider What 550 Security Leaders Just Told Us about the Age of AI, and Why Preemptive Digital Risk Protection Can’t Wait Lookalike Domains Expose the iPhone Theft Economy Amusing Numerology: Analysis of the Numbers in Domain Names 4 Trends Shaping the Future of Network Operations Preemptive Threat Disruption at Scale: How Infoblox and Axur Turn External Risk into Protection Why the Axur Acquisition Marks a Turning Point for Preemptive Security Don’t Wait To Be Attacked: Stop Phishing, C2 and Data Exfiltration with Infoblox Threat Intelligence in AWS Network Firewall Hold the Phone! International Revenue Share Fraud Driven by Fake CAPTCHAs AI, Project Glasswing and DNS: Beyond Vulnerabilities Three Infoblox Integrations with Google Cloud That Give Enterprise Teams More Control Over Their Networks Protective DNS: Why Telcos Are Turning to DNS as the Platform for Consumer Security Automating Infoblox DDI with Red Hat Ansible | Configuration as Code for DNS, DHCP and IPAM Hiding in Plain Sight: Abusing Composite Domain Names What You Cannot See is Hurting You Most Patterns, Pirates, and Provider Action: What We Learned Working with Keitaro NIST SP 800-81r3: What’s New? No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution Unified Asset Visibility: A Strategic Imperative for CIOs and CISOs Infoblox Partners with Leading SASE Vendors to Modernize DNS and DHCP for Distributed Enterprises NIST DNS Security Best Practices: Top 5 Takeaways Break out the bubbly: NIST SP 800-81r3 has been published! Empowering Women to Lead in APJ: Infoblox at the Leadership Summit for Women in Technology, AI & Cyber
NIST SP 800-81r3: A Long-Overdue Wake-Up Call for DNS Security
Craig Sanderson · 2026-04-01 · via Infoblox Blog

The release of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-81 Revision 3 marks a pivotal moment for the cybersecurity and networking community. For years, SP 800-81 has been regarded as the gold standard for DNS deployment and operational best practices. But until now, it lagged behind the rapid evolution of both the DNS protocol and the threat landscape.

That gap has finally been addressed.

Why This Update Matters

DNS remains one of the most critical—and paradoxically overlooked—services in modern IT environments. It underpins every digital interaction, yet too often operates quietly in the background, escaping the scrutiny applied to other parts of the security stack.

NIST SP 800-81r3 changes that dynamic.

This revision incorporates years of innovation in DNS technology, including:

  • The rise of encrypted DNS (DoH, DoT) to protect user privacy and integrity
  • Advances in DNS security controls and architectures
  • Recognition of DNS as a strategic control plane, not just a utility service

Crucially, it also acknowledges the emerging role DNS will play in AI-enabled enterprises. With initiatives like the Internet Engineering Task Force (IETF) DNS for AI Discovery (DNSAID) draft, DNS is evolving into a foundational layer for service discovery, orchestration and trust in AI-driven environments.

In short, DNS is no longer just infrastructure. It is becoming mission-critical intelligence infrastructure.

For full details, see the updated NIST guidance: NIST SP 800-81r3

The Growing Risk of Ignoring DNS

Despite its importance, DNS continues to “fly under the radar” in many organizations.

  • Network and IT teams focus on availability and performance
  • Security teams often lack visibility into DNS risks and controls

This disconnect creates a dangerous blind spot.

We’ve already seen what happens when DNS fails or is exploited. The large-scale disruptions affecting major cloud providers like Azure and AWS in October 2025 demonstrated how systemic DNS issues can cascade into widespread outages. At the same time, threat actors are increasingly targeting DNS for command and control, data exfiltration and evasion.

For many organizations, DNS risk remains hidden—until it suddenly isn’t.

Protective DNS: From Niche to National Strategy

One of the most significant shifts reflected in SP 800-81r3 is the growing importance of Protective DNS (PDNS) as a frontline cybersecurity control.

Governments around the world are already moving in this direction:

This is not a coincidence. Protective DNS provides a scalable, preventative control that can stop threats before they reach endpoints or users.

NIST’s updated guidance reinforces what many national cybersecurity agencies already recognize: DNS is one of the most effective—and underutilized—security enforcement points available.

The “Tick-Box” Trap in DNS Security

Despite growing awareness, many organizations have approached DNS security as a feature to be enabled, rather than a discipline to be engineered.

A common pattern is the reliance on existing security platforms, such as firewalls or secure web gateways, to provide “good enough” DNS protection. While these tools may offer DNS-related features, they were not designed to address the full scope of DNS risk.

This has led to a false sense of security.

NIST SP 800-81r3 makes it clear that DNS security is far broader and more complex than a single control point. It spans:

  • Architecture and infrastructure design
  • Availability and resilience engineering
  • Data integrity and trust (e.g., DNSSEC)
  • Privacy protections (e.g., encrypted DNS)
  • Threat detection and prevention (e.g., Protective DNS)
  • Operational visibility and governance

In other words, DNS security is not something that can be “bolted on.”

This shift is particularly important in the context of evolving regulation. Increasingly, regulators are focusing on outcomes—resilience, risk reduction and service continuity—rather than box-ticking exercises.

Organizations that rely on partial or superficial controls will struggle to demonstrate those outcomes.

To meet both the spirit and the letter of emerging requirements, organizations must adopt a holistic view of DNS security; one that aligns with the breadth of guidance outlined in SP 800-81r3.

Regulation Is Catching Up

If organizations haven’t yet prioritized DNS security, regulation may soon force the issue.

The European Union’s NIS2 Directive explicitly references NIST SP 800-81, cementing its position as the global benchmark for DNS best practices. This has significant implications:

  • Over 180,000 organizations fall within the scope of NIS2.
  • DNS will need to be addressed as part of cybersecurity and resilience strategies.
  • National regulators are likely to adopt and enforce these best practices.

And this is just the beginning.

In the United Kingdom, the proposed Cyber Security and Resilience Bill signals a significant shift in how cyber risk will be regulated, particularly for critical infrastructure and essential digital services.

As this framework evolves, it is expected to drive more detailed technical expectations for organizations operating critical services. Given the central role DNS plays in those systems, it is difficult to envisage a scenario where DNS is not explicitly addressed, and where globally recognized best practices, such as those outlined in NIST SP 800-81r3, are not reflected in future guidance.

More broadly, there is a growing opportunity for regulators globally to align around common frameworks like SP 800-81r3. Doing so would bring:

  • Consistency across jurisdictions
  • Clarity for organizations navigating compliance
  • Stronger security and resilience outcomes at both technical and business levels

A Critical Moment for Re-Evaluation

The release of SP 800-81r3 should serve as a clear signal:

Now is the time to re-evaluate your DNS security strategy.

Organizations need to ask themselves:

  • Do we have visibility into DNS activity across our environment?
  • Are we leveraging DNS as a proactive security control?
  • Is our architecture aligned with modern best practices and emerging standards?
  • Are we prepared for regulatory expectations tied to DNS resilience?

For many, the honest answer will be “not yet.”

Infoblox’s Role in Advancing DNS Best Practices

At Infoblox, we have long recognized the critical role DNS plays in cybersecurity and resilience. We were proud to collaborate with NIST in shaping practical, real-world guidance reflected in SP 800-81r3.

Our focus has been on ensuring that best practices are not just theoretical, but actionable and effective in real enterprise environments.

This includes:

  • Operationalizing Protective DNS at scale
  • Bridging the gap between network and security teams
  • Enabling organizations to translate guidance into measurable resilience outcomes

Final Thoughts

NIST SP 800-81r3 is more than just an update. It is a reset moment for how organizations think about DNS.

It highlights a reality that can no longer be ignored:

  • DNS is foundational to cybersecurity
  • DNS is critical to resilience
  • DNS will be central to the future of AI-driven networks

Organizations that act now can turn DNS into a strategic advantage.

Those that don’t may soon find themselves catching up under pressure from regulators, or worse, in response to an incident.

How Infoblox Can Help

Understanding and implementing DNS best practices can be complex but organizations don’t have to tackle it alone.

Infoblox works with enterprises globally to translate guidance like NIST SP 800-81r3 into practical, measurable outcomes.

We can support your journey in two key ways:

  • DNS Security Assessments with Infoblox Inspect
    Gain immediate visibility into your DNS risk posture and configuration gaps using Infoblox Inspect.
  • Free DNS Security Workshops
    Bring your IT and security teams together to understand modern DNS threats, best practices and how to operationalize them effectively.

These engagements are designed to help organizations move beyond theory, building a holistic, resilient DNS security strategy aligned with both best practices and emerging regulatory expectations.