In an era marked by sophisticated cyber threats and state-sponsored attacks, governments worldwide are grappling with the challenge of safeguarding their digital infrastructure. Protective DNS has emerged as a pivotal strategy, offering a scalable platform to provide a robust first line of defence against these threats.
The Domain Name System (DNS) is essential to the operation of modern networks, facilitating email, websites, and everything we do on the internet. DNS was designed to translate human-readable domain names into machine-readable IP addresses. But today it is used for so much more. In 2010, an extension to the protocol was proposed to provide a firewall-like behaviour in DNS. This opened up the opportunity to use DNS as a means to detect and respond to threats like phishing and malware, turning a networking platform into a ubiquitous visibility and security control platform. Since then, these concepts have matured and in recent years governments around the world have embraced DNS detection and response as an important component of security-in-depth, calling it Protective DNS.
Protective DNS is more than a protocol; it’s a security service. It detects threats in the network via DNS queries and responds based on an organisation’s chosen policies. As a service, it can block access, quarantine devices, and log suspicious activity in real-time.
To put this threat into perspective, according to IDC, almost 90 percent of organisations suffered a DNS attack in 2021. This danger to businesses and government agencies has prompted the UK’s NCSC to publish important guidelines and recommendations for private companies and governments to deploy Protective DNS measures and leverage DNS intelligence to their advantage. In 2020, Anne Neuberger, director of cybersecurity at NSA (National Security Agency), noted that “using secure DNS would reduce the ability for 92 percent of malware attacks both from command and control perspective deploying malware on a given network.” based on NSA analysis.
This spike in DNS-based threats can be largely attributed to the rapid emergence of hybrid working, increasing the network footprint of organisations and creating new DNS vulnerabilities as a result. State-sponsored cyberattacks and geopolitical unrest is also making governments more of a target, as threat actors seek to steal sensitive data and disrupt critical infrastructure.
Here are five key reasons governments should prioritise Protective DNS:
1. Proactive defence against malware and ransomware
DNS serves as one of the initial control points in the digital landscape. By transforming DNS from a networking service to a security control point, DNS Intelligence can provide security at scale – something which has historically been very challenging for governments and their departments. Take the Decoy Dog malware for instance, a sophisticated cyber threat that disguises itself as legitimate software to trick users into downloading and executing it, enabling attackers to gain unauthorised access to data. Decoy Dog uses DNS as the primary channel for command and control, which is both its strength and its weakness. Leveraging DNS means that, with the right tools in place, it can be intercepted early on, preventing malicious requests from escalating. This allowed Infoblox to discover the Decoy Dog malware through the use of anomaly detection performed at one of its BloxOne threat defence resolvers.
Protective DNS continuously monitors network traffic and analyses DNS query patterns to identify anomalies and potential threats. Continuous analysis helps to detect and prevent new or emerging threats that may not be covered by traditional signature-based security methods. The use of DNS is so ubiquitous that it’s the ideal vehicle for security at scale, leveraging existing DNS infrastructure to support the capabilities of Protective DNS.
2. Guarding against lookalike domains and deceptive tactics
Cyber adversaries often craft domains resembling legitimate ones to deceive users, as seen with tactics used to compromise the French Social Security Portal. The threat actor’s initial engagement began with a large number of SMS phishing (smishing) messages designed to bring victims to the fake Portal. The campaign initially targeted French nationals but since then we’ve seen additional lookalikes that target British, Spanish, and Portuguese speakers, and Belgian telco and Dutch energy companies.
If you liked this content…
How the UK public sector can bolster cybersecurity practices
Cybersecurity and digital identity in 2026: Designing trust for a world built on deception
Cyber resilience must be a priority with public sector under threat, warns Northdoor
Public Sector Leads UK Industries in Cyber Policy Strength, New Study Finds
UK public sector: cyberattack is “a matter of time”
Protective DNS was able to detect and identify over 200 IP addresses serving 7,000 unique phishing domains, stopping many of these attacks almost immediately. Protective DNS identifies and blocks these deceptive domains, ensuring users aren’t lured into phishing traps or data breaches.
3. Leveraging centralised threat intelligence for enhanced security
Governments can harness centralised threat intelligence to gain consistent insights into potential threats across various departments. This centralised approach provides a macro view, enabling governments to discern whether threats are isolated or widespread. Centralising threat intelligence helps ensure consistency and the resulting events can provide a holistic view of the threat landscape.
4. Empowering individual departments with tailored defence
While centralised protective DNS offers a foundational layer of defence, individual government departments can further bolster their security by applying the same technology on their internal DNS servers. This approach ensures a multi-layered defence strategy, allowing departments to address specific vulnerabilities and threats related to DNS. It also has the added benefit of enabling the overall Protective DNS service to scale and when applied on DNS servers which serve endpoints, the associated device metadata enables security operations teams to quickly and easily identify the compromised endpoint.
5. Anticipating and rapidly countering evolving threats
This need for speed is real. The cyber threat landscape is constantly evolving, with adversaries employing innovative tactics like lookalike domains. DNS Intelligence allows governments to stay a step ahead, proactively identifying potential threats and ensuring defences are always updated. Threat intelligence derived from analysing DNS queries and optimised for deployment on DNS platforms can target the blocking of domains owned by threat actor infrastructure. The advantage of this is that it allows Protective DNS to proactively block the would-be malicious domain even before the threat actor uses it in a malware campaign. This identification and blocking of these suspicious domains make them available for blocking weeks to months earlier than the domains published in many industry-wide malicious threat intel feeds. This stands in stark contrast to other threat intelligence sources that can only respond once the malware has been spotted in the wild.
Protective DNS can also rapidly react to DNS specific threats such as DNS tunnelling. Adversaries have been quick to turn to DNS as a means to exfiltrate data out of networks due to the lack of focus from most organisations on DNS traffic. A Protective DNS service that leverages machine learning can detect malicious DNS tunnels that can and often are used as an open back door that results in sensitive data loss.
Centralised vs. organisation-specific protective DNS: a dual-layered approach to cybersecurity
Centralised Protective DNS offers a foundational layer of defence for governments, pooling resources and threat intelligence to safeguard against a broad spectrum of cyber threats. This approach provides a macro view, allowing governments to discern overarching threat patterns and respond proactively. However, while centralised Protective DNS serves as a robust starting point, individual government departments and organisations can further enhance their cybersecurity posture by adopting an organisation-specific approach. By tailoring DNS measures to address unique vulnerabilities and challenges, departments can ensure a more granular and adaptive defence strategy. This dual-layered approach—combining the strengths of both centralised and organisation-specific Protective DNS—ensures comprehensive protection, allowing governments to address both widespread and targeted threats effectively.
Protective has emerged as a vital defensive layer, effectively countering sophisticated AI-based threats that seek to take advantage of basic DNS protocols. Its strategic deployment will fortify national cybersecurity, allowing governments to adapt swiftly to halt and neutralise evolving digital threats.
If cybersecurity in government is of interest to you, then you should attend our upcoming conference in Westminster on June 11th. You can register for Think Digital Identity and Cybersecurity for Government here.
