NIST SP 800-81r3 modernizes DNS security guidance for the first major revision since 2013, recasting DNS as an active enforcement layer and addressing protective DNS, encrypted DNS, DNSSEC, and operational resilience. The guidance recommends hybrid cloud/on‑prem protective DNS deployments, mandates encrypted DNS for U.S. federal civilian agencies where feasible, updates cryptographic algorithm guidance (including ECDSA and Ed25519), and enforces operational best practices like separating authoritative and recursive servers and integrating DNS logs with SIEM. #NIST_SP_800_81r3 #ProtectiveDNS #DoH #DoT #DoQ #DNSSEC #RPZ
Keypoints
- NIST SP 800-81r3 replaces the 2013 guidance and reframes DNS as a proactive security control.
- The document prioritizes protective DNS with cloud and on‑prem deployment models and recommends hybrid architectures and SIEM integration.
- Encrypted DNS protocols (DoT, DoH, DoQ) are required for federal civilian agencies where feasible, with controls to prevent bypassing internal DNS.
- DNSSEC guidance is updated to favor ECDSA and Edwards-curve algorithms, shorten key and signature lifetimes, and recommend HSMs for key protection.
- Operational best practices include separating authoritative and recursive functions, monitoring for dangling CNAMEs and typosquatting, and following TTL and availability recommendations.
Read More: https://thecyberexpress.com/dns-security-guidance-nist-sp-800-81r3-update/