The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released new guidance on selecting a Protective Domain Name System (PDNS) provider.
The guidance assesses PDNS providers based on their ability to use a PDNS system as part of a layered security system, block unauthorized DNS queries, and account for hybrid enterprise architectures. The guide lays out and assesses six different PDNS providers based on the provided criteria, but specifies that it should not be taken as an endorsement of any of the providers.
“This guidance outlines the benefits and risks of using a protective DNS service and assesses several commercial PDNS providers based on reported capabilities,” the guidance says. “The assessment is meant to serve as information for organizations, not as recommendations for provider selection. Users of these services must evaluate their architectures and specific needs when choosing a service for PDNS and then validate that a provider meets those needs.”
DNS is how machines turn site domain names into IP addresses. PDNS has upgraded security measures compared to regular DNS, which was never intended to withstand assaults from bad actors. PDNS is a security service, rather than a security measure focused on protecting user’s queries.
One of the core features and benefits of PDNS is that the service utilizes various information feeds of known malicious domains to classify sites that are known for phishing, malware distribution, and other potentially harmful activities. This type of DNS filtering is so essential to the future of cybersecurity that the Department of Defense (DoD) included it as a requirement in its Cybersecurity Maturity Model Certification program, which is in the process of being rolled out to all DoD contracts by Fiscal Year 2026.