New updated NIST guidance for DNS

NIST has just updated its guidance for Domain Name System (DNS) security. The last version of this document (Secure Domain Name System (DNS) Deployment Guide) (SP 800-81r3), was last updated way back in 2013. It's been updated with good protective DNS measures and recommendations that all organisations should adopt as a baseline, largely:

• Employ protective DNS wherever technically feasible to provide additional network wide security capabilities that include:

  • Blocking harmful or malicious traffic in real time

  • Filtering out categories of traffic that do not conform to the organisation’s policies

  • Generating real-time and historical DNS query and response data to facilitate digital forensics and incident response

  • Integrating with the wider security ecosystem as part of a defense-in-depth or zero trust approach

  • Facilitating the organisation’s responsibility to comply with regulatory or contractual requirements for blocking traffic to disallowed sites (e.g., copyright violations, legal restrictions)

• Encrypt internal and external DNS traffic wherever feasible

• Deploy DNS Security Extensions (DNSSEC) to protect the integrity of DNS data

• Deploy dedicated DNS servers to reduce attack surfaces

• Follow all technical guidance on ensuring that DNS deployments and the DNS protocol are as secure and resilient as possible

You can download it here:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81r3.pdf

#nist #sp80081r3 #dns #cybersecurity #securitystandards #dnssec #dnssecurity #danweis #boardroomcyber #hackproofyourself