cyber
TRENDS
This disconnect creates a dangerous blind spot.
We have already seen what happens when DNS fails or is exploited. The large-scale disruptions affecting major cloud providers like Microsoft Azure and Amazon Web Services in October 2025 demonstrated how systemic DNS issues can cascade into widespread outages. At the same time, threat actors are increasingly targeting DNS for command and control, data exfiltration and evasion.
For many organisations, DNS risk remains hidden until it suddenly is not.
Craig Sanderson, Principal Cyber Security Strategist, Infoblox
Protective DNS: from niche to national strategy
One of the most significant shifts reflected in SP 800-81r3 is the growing importance of Protective DNS( PDNS) as a frontline cybersecurity control.
Governments around the world are already moving in this direction:
• The UK’ s National Cyber Security Centre
• US federal adoption through the Cybersecurity and Infrastructure Security Agency and other agencies
This is not a coincidence. Protective DNS provides a scalable preventative control that can stop threats before they reach end-users or users. enterprises. With initiatives like the Internet Engineering Task Force( IETF) DNS for AI Discovery( DNSAID) draft, DNS is evolving into a foundational layer for service discovery, orchestration and trust in AI-driven environments.
In short, DNS is no longer just infrastructure. It is becoming mission-critical intelligence infrastructure.
The growing risk of ignoring DNS
Despite its importance, DNS continues to fly under the radar in many organisations.
• Network and IT teams focus on availability and performance
• Security teams often lack visibility into DNS risks and controls
NIST’ s updated guidance reinforces what many national cybersecurity agencies already recognise: DNS is one of the most effective and underutilised security enforcement points available.
The tick-box trap in DNS security
Despite growing awareness, many organisations have approached DNS security as a feature to be enabled rather than a discipline to be engineered.
A common pattern is the reliance on existing security platforms, such as firewalls or secure web gateways, to provide‘ good enough’ DNS protection. While these tools may offer DNS-related features, they were not designed to address the full scope of DNS risk.
This has led to a false sense of security.
NIST SP 800-81r3 makes it clear that DNS security is far broader and more complex than a single control point. It spans:
Despite its importance, DNS continues to fly under the radar in many organisations.
WWW. INTELLIGENTCISO. COM 53