What the New NIST Secure DNS Deployment Guidance Means to Enterprises, According to a ZeroFox Expert

NIST's updated guidance on secure DNS deployment has direct implications for how organizations protect their external digital presence. This is what you need to act on.

The Domain Name System has long been treated as plumbing, like invisible infrastructure that just works. That perception is increasingly dangerous. 

In March 2026, the National Institute of Standards and Technology (NIST) published an updated Secure DNS Deployment Guide (SP 800-81r3), and its framing is a significant shift: DNS is no longer merely an operational service. It is, in NIST's words, "a security control that can be an important part of an enterprise security architecture."

For ZeroFox customers, this matters in a very specific way. The threats that DNS is most vulnerable to (like domain hijacking, lookalike registrations, dangling records, phishing infrastructure) are precisely the threats our platform is built to detect and disrupt. The new NIST guidance provides a timely framework to ensure your internal DNS configurations aren't undoing the external protection that ZeroFox provides.

Here’s  what the guidance says, and what it means for your team.

Your External Domains Are Under Active Attack

NIST is explicit that threat actors routinely target legitimate, public-facing domains to exploit their established reputation. The document identifies three specific attack vectors that security teams should treat as high-priority concerns.

Dangling CNAME records occur when a CNAME points to a canonical name whose parent domain has lapsed in registration. When that happens, an attacker can register the expired domain and effectively take over resolution, sending your users to infrastructure they control, under a name that looks legitimate. NIST recommends that DNS administrators implement regular audits of CNAME configurations and delete records that are no longer needed.

Lame delegations present a similar threat. If a subdomain was delegated to a DNS hosting provider and the contract lapses but the delegation record was never removed, an attacker can contract with that same provider to hijack resolution for your subdomain. DNS administrators should actively validate that there are no lame delegations within their external authoritative domain name space and use DNS-hosting providers who apply safeguards. This is one of the most common paths to subdomain takeover observed in the wild.

Lookalike domains complete the picture. Threat actors extensively leverage lookalike or typosquat domains to impersonate target organizations, vastly increasing the success rate of their phishing and malware campaigns. These can include subtle character substitutions, international homoglyphs, or simply re-registering domains you've retired. NIST's recommended countermeasures are core capabilities that ZeroFox delivers at scale, continuously scanning for domains targeting your brand across the entire internet.

The connection between your DNS hygiene and your external brand integrity is direct: stale records and expired delegations don't just create internal resolution failures. They hand attackers a credible, trusted surface to launch campaigns against your customers.

Protective DNS: Your Internal Security Posture Has Gaps You May Not See

Beyond the external threat surface, NIST's guidance on protective DNS has meaningful implications for your internal security architecture. Protective DNS blocks access to malicious websites and prevents the delivery of malware, ransomware, phishing, and other attacks. It can be provided as a service from a vendor, deployed on internal DNS infrastructure, or a combination of the two.

The key word is combination. NIST recommends a hybrid approach, like pairing cloud-based protective DNS services (which benefit from greater threat intelligence and real-time analysis) with on-premises capabilities that ensure protection even when the cloud service is unavailable. ZeroFox’s Global Disruption Network extensively feeds our high fidelity threat intelligence into DNS firewalls and response policy zones (RPZs) to block resolution to attacker infrastructure before a connection is ever made.

NIST also emphasizes that DNS query logs should be integrated with other system logs to facilitate correlation with cloud workloads and device or user activities. This aligns directly with how ZeroFox customers should be thinking about their SIEM integration: DNS telemetry is early-warning data. A query to a domain that ZeroFox has flagged as part of a phishing campaign should trigger an alert, not just a blocked connection. The goal is detection and response, not just prevention.

Encryption and Authentication Are No Longer Optional

The guidance also strengthens its stance on encrypting DNS traffic. The U.S. Government requires the DNS infrastructure of Federal Civilian Executive Branch agencies to use encrypted DNS when communicating with agency endpoints, wherever technically supported. For non-federal organizations, this is a strong signal of where baseline expectations are heading.

Encrypted DNS, whether via DNS over TLS (DoT), DNS over HTTPS (DoH), or DNS over QUIC (DoQ), protects query and response traffic from interception and manipulation. This matters for ZeroFox customers because unencrypted DNS traffic is one of the primary channels threat actors use for command-and-control communication and data exfiltration. NIST recommends that organizations block unauthorized outbound DoT, DoH, and DoQ traffic at the perimeter, ensuring that only approved resolvers can communicate outside the network.

Complementing encryption is DNSSEC, the set of extensions that adds cryptographic authentication to DNS responses. DNSSEC can guarantee the integrity of name resolution response data to DNS clients that perform DNSSEC signature verification. Without it, even a well-configured resolver can be fed forged responses. NIST recommends deploying DNSSEC for external authoritative zones, with particular attention to key management, rollover procedures, and signature validity periods.

Putting It Together: DNS as a Layer of External Defense

The updated NIST guidance reframes DNS from a maintenance task into an active security discipline. For ZeroFox customers, the most important takeaway is that the threats DNS is most exposed to, like domain impersonation, subdomain hijacking, phishing infrastructure, or lookalike campaigns, are the same threats that ZeroFox monitors and disrupts externally every day, by the thousands.

The gap to close is the connection between those two layers. Auditing your external DNS footprint for dangling CNAMEs and lame delegations, feeding ZeroFox-sourced threat intelligence into your protective DNS controls, encrypting your DNS traffic, and deploying DNSSEC together create a coherent, defense-in-depth posture. Your DNS is already a target. The question is whether it's also a line of defense.

ZeroFox continuously monitors for domain abuse, lookalike registrations, and attacker infrastructure targeting your brand. To learn more about how ZeroFox threat intelligence integrates with your DNS security controls, contact your ZeroFox account team. If you're new to ZeroFox, request a demo.