NIST Strengthens DNS Security Guidance with SP 800-81r3 Update After 12-Year Gap
The National Institute of Standards and Technology (NIST) has released an updated version of its DNS security guidance, marking a significant shift in how organizations are expected to secure the Domain Name System (DNS). The new document, NIST SP 800-81r3, replaces the previous version published in 2013, effectively closing a twelve-year gap in federal updates regarding this critical area of cybersecurity.
DNS is foundational to virtually every network connection, serving as the backbone of internet navigation. However, security practices surrounding DNS have historically lagged behind other components of enterprise infrastructure. The updated guidance aims to address this deficiency by incorporating modern threats, technologies, and operational realities, providing updated DNS security recommendations for both leadership and technical teams.
A Modern Approach to DNS Security Guidance
The revised NIST SP 800-81r3 document is structured around three core pillars: utilizing DNS as a proactive security control, enhancing the DNS protocol itself, and securing the infrastructure that supports DNS services. This guidance is tailored for two distinct audiences: executives responsible for strategic cybersecurity decisions and operational teams tasked with implementation and maintenance.
One of the most notable changes in this guidance is the redefinition of DNS. Rather than being viewed merely as a lookup service, DNS is now positioned as an active enforcement layer capable of detecting and mitigating threats in real time. This shift emphasizes the importance of DNS in an organization’s overall cybersecurity posture.
Protective DNS Takes Center Stage
A key highlight of SP 800-81r3 is its focus on “protective DNS.” This concept refers to DNS services that are enhanced with security capabilities, allowing them to inspect queries and responses, block malicious domains, filter content categories, and generate logs for forensic analysis and incident response.
The document outlines two primary deployment models for protective DNS:
- Cloud-based protective DNS services
- On-premises solutions utilizing DNS firewalls or Response Policy Zones (RPZs)
NIST advocates for a hybrid approach wherever feasible, combining cloud services with on-premises solutions to ensure resilience during outages. Additionally, the guidance stresses the importance of integrating DNS logs with Security Information and Event Management (SIEM) platforms and correlating them with DHCP lease data to map activity to specific devices during investigations.
Encrypted DNS Reshapes Network Visibility
Another significant area addressed in NIST SP 800-81r3 is encrypted DNS. The document discusses three key protocols:
- DNS over TLS (DoT) on TCP port 853
- DNS over HTTPS (DoH) on TCP/UDP port 443
- DNS over QUIC (DoQ) on UDP port 853
These protocols encrypt communication between clients and DNS resolvers, enhancing privacy and integrity. However, they also shift the security burden. NIST mandates that encrypted DNS be implemented for U.S. federal civilian agencies wherever technically feasible. The guidance also warns organizations to configure browsers and applications carefully to prevent bypassing internal DNS controls.
To maintain control, the guidance recommends:
- Blocking unauthorized DoT traffic via TCP port 853
- Restricting DoH using firewall rules and RPZs
- Utilizing mobile device management tools to enforce DNS settings
Updated DNSSEC and Cryptographic Practices
The SP 800-81r3 update modernizes recommendations for DNS Security Extensions (DNSSEC). It aligns supported algorithms with RFC 8624 and NIST SP 800-57, including:
- RSA with SHA-256
- ECDSA P-256 and P-384
- Ed25519 and Ed448
The guidance favors ECDSA and Edwards-curve algorithms due to their smaller key sizes, which help maintain efficient DNS responses and avoid fallback to TCP. Key management is also emphasized, with DNSSEC signing keys recommended to have lifetimes of one to three years, while RRSIG validity should remain short, around five to seven days, to limit exposure if a key is compromised. Hardware security modules are recommended for safeguarding private keys.
Interestingly, the document prefers NSEC over NSEC3 for authenticated denial of existence, noting that NSEC3’s computational cost often outweighs its benefits. Organizations required to use NSEC3 are directed to RFC 9276 for safer parameter configurations. While post-quantum cryptography is not yet included, NIST advises organizations to prepare for future migration.
Strengthening DNS Infrastructure and Operations
Beyond protocols, the DNS security guidance delves into operational risks. It highlights issues such as:
- Dangling CNAME records, which can allow attackers to take control of unresolved domains
- Lame delegations, where DNS authority is misconfigured
To mitigate these risks, organizations are encouraged to monitor domain registrations for typosquatting and maintain retired domains in a parked state to prevent malicious reuse. The guidance also addresses Time-To-Live (TTL) values, recommending ranges from 1,800 seconds (30 minutes) to 86,400 seconds (one day). A TTL of zero is explicitly prohibited, and values below 30 seconds are discouraged for DNSSEC-signed records.
Architecture and Availability Best Practices
NIST SP 800-81r3 reinforces architectural best practices by strongly advising the separation of authoritative and recursive DNS functions on internet-facing servers, as combining them introduces security risks. Other recommendations include:
- Deploying at least two authoritative servers on separate networks
- Distributing servers geographically across multiple sites
- Using a hidden primary server to reduce exposure to attacks
Dedicated infrastructure for DNS is preferred to minimize the attack surface and ensure sufficient resources for logging and security features. Where full separation is not feasible, combining DNS with closely related services like DHCP is considered acceptable.
This updated DNS security guidance from NIST represents a comprehensive modernization of how organizations should approach DNS. With SP 800-81r3, DNS is no longer treated as a passive service but as a central pillar of enterprise cybersecurity strategy.
According to publicly available reporting, organizations are encouraged to adopt these guidelines to enhance their DNS security posture effectively.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
