CleanINTERNET DNS & NIST Special Publication 800-81 Revision 3

What Is Protective DNS?

NIST defines protective DNS as "a DNS service that is enhanced with security capabilities to analyze DNS queries and responses and take action to mitigate threats" (Section 2.1). The publication identifies five goals for protective DNS deployment:

Section-by-Section Conformance

2.1.1 — Threat Intelligence and Telemetry

NIST recommends integrating threat intelligence into the DNS resolver via DNS firewalls, response policy zones (RPZs), or similar mechanisms. The publication emphasizes that "the consumption and deployment of threat intelligence services should be considered as part of any protective DNS deployment."

How CleanINTERNET DNS conforms:

• CleanINTERNET DNS validates every IP address in DNS responses against Centripetal's curated threat intelligence — aggregated from 3,500+ feeds spanning malware, phishing, ransomware, command-and-control, and other threat categories
• CleanINTERNET DNS evaluates all outbound DNS queries against the same curated threat intelligence dataset, blocking resolution attempts for known-malicious domains before any upstream connection is established
• Intelligence is synchronized to CleanINTERNET DNS infrastructure in near real-time via streaming updates, not batch downloads — policies reflect the latest threat landscape within minutes of publication
• The intelligence dataset covers domains, IP addresses, URLs, and CIDR ranges across multiple indicator types as well as content within different record types such as TXT Records or HTTPS Records — broader coverage than single-source RPZ feeds

Key distinction: Traditional RPZ-based filtering checks domain names. CleanINTERNET DNS goes further — it validates the IP addresses returned in DNS responses against the full intelligence dataset. A domain that resolves to a newly compromised IP is caught even if the domain itself isn't yet flagged.

2.1.2 — Name Resolution Filtering

NIST recommends applying security-related policies to DNS resolution, including refusing to resolve domains associated with phishing, malware C2, and other threats. The publication notes that protective DNS "can also log queries for domain names that trigger policy to indicate potential malware infection or other malicious activity."

How CleanINTERNET DNS conforms:

• Queries to known-malicious domains are blocked at the DNS layer — before any network connection is established
• DNS responses containing IP addresses associated with threat intelligence are intercepted and prevented from reaching the client
• All blocked queries and responses are logged with full context (query domain, response records, matched intelligence, timestamp) for security team review

Filtering operates transparently behind your existing DNS infrastructure — configure your DNS servers to forward to CleanINTERNET DNS, and protection applies immediately.

2.1.3 — DNS for Digital Forensics and Incident Response

NIST recommends implementing "robust DNS traffic logging mechanisms" that capture both current and historical DNS traffic. The publication specifically calls for integration with SIEM platforms to "facilitate correlation with cloud workloads and device or user activities."

How CleanINTERNET DNS conforms:

• Every DNS event — queries, responses, blocks, and intelligence matches — is logged
• Logs include the original query, all response records (A, AAAA, CNAME, SOA), the matched intelligence source, and the enforcement action taken
• Historical DNS data enables retroactive investigation: when a new threat indicator is published, you can search your DNS logs to determine whether any clients previously resolved that domain
• Log data supports incident timeline reconstruction, compromised host identification, and lateral movement analysis

2.2.2 — Encrypted DNS and Authentication

NIST recommends encrypting DNS traffic wherever feasible using DNS over TLS (DoT), DNS over HTTPS (DoH), or DNS over QUIC (DoQ). The publication notes that the U.S. Government requires Federal Civilian Executive Branch agencies to use encrypted DNS "wherever technically supported."

How CleanINTERNET DNS conforms:

• CleanINTERNET DNS supports DNS over HTTPS (DoH) with customer-specific URI templates, enabling encrypted DNS resolution for browser-based and application-level traffic
• Standard DNS forwarding is available for environments where encrypted DNS is not yet feasible (e.g., legacy OT/IoT devices, internal DNS infrastructure)
• Both transport methods receive the same intelligence-driven protection — encryption does not bypass filtering
   

Why this matters: NIST highlights that encrypted DNS is "a vital component in broader organizational strategies for securing internet communications." CleanINTERNET DNS delivers protective DNS capabilities over encrypted channels, satisfying both the security and privacy objectives of the guidance.

2.3.1 — Dedicated DNS Services

NIST recommends that "the infrastructure that hosts DNS services should be dedicated to that task and hardened to reduce the attack surface." The publication specifically states that DNS should run on purpose-built platforms with sufficient capacity for logging, encrypted DNS, and protective DNS functions.

How CleanINTERNET DNS conforms:

• CleanINTERNET DNS is a fully managed, cloud-native service built exclusively for protective DNS — no shared infrastructure, no multi-purpose hosts
• The service runs on dedicated infrastructure purpose-built for DNS security with hardened configurations
• Capacity for logging, intelligence evaluation, and encrypted DNS is provisioned and maintained by Centripetal — your team does not manage DNS security infrastructure

2.3.2 — Resiliency and High Availability

NIST recommends geographic dispersion of DNS servers, with "at least two of the authoritative name servers for an organization located on different network segments."

How CleanINTERNET DNS conforms:

• CleanINTERNET DNS operates across multiple geographically distributed service points (US East: 35.196.6.132, US Central: 35.184.180.171)
• Customers configure both endpoints as primary and secondary resolvers, providing automatic failover if one region is unreachable
• Cloud-native architecture enables horizontal scaling to handle query volume spikes without degradation

2.3.3 — Interoperability of the Protective DNS Ecosystem

NIST recommends ensuring that protective DNS integrates with the wider security ecosystem, including: defense-in-depth integration, SIEM/SOAR logging, API access to threat intelligence, and use of standardized protocols.

How CleanINTERNET DNS conforms:

4.2.2 — Restricting the Use of DNS with Public Providers

NIST recommends blocking outbound DNS from the internal network to unauthorized resolvers and restricting stub resolvers to only use encrypted DNS on authorized services.

How CleanINTERNET DNS conforms:

• CleanINTERNET DNS provides an authorized, security-enhanced resolver that replaces or supplements public DNS providers
• Organizations configure their DNS infrastructure to forward to CleanINTERNET DNS endpoints, then block outbound DNS to all other resolvers using firewall rules
• This ensures all DNS resolution passes through intelligence-driven filtering — no gaps from shadow DNS or browser-configured public resolvers
   

CleanINTERNET Enterprise integration: Customers who subscribe to CleanINTERNET Enterprise with a deployed RuleGATE can enforce outbound DNS restrictions directly at the network edge — blocking traffic to unauthorized public DNS servers in coordination with CleanINTERNET DNS. This provides hardware-enforced policy compliance without relying solely on endpoint or firewall configurations, ensuring that all DNS resolution is routed through the protected CleanINTERNET DNS infrastructure.

4.2.4 — Detecting and Mitigating Data Exfiltration via DNS

NIST recommends establishing controls to detect and block DNS tunneling and data exfiltration. The publication identifies key detection patterns: abnormal query volumes, unusual query patterns, high-entropy domain names, and queries for hostnames in known malicious domains.

How CleanINTERNET DNS conforms:

• CleanINTERNET DNS intelligence includes domains associated with known DNS tunneling tools and data exfiltration infrastructure
• Queries to command-and-control domains — including those used for DNS-based exfiltration — are blocked at the resolution layer
• DNS event logs provide the query-level visibility needed to detect anomalous DNS behavior patterns, supporting both automated detection and manual investigation

4.2.5 — DNSSEC Validation

NIST recommends enabling DNSSEC validation on recursive resolvers to protect the integrity of DNS response data and guard against cache poisoning and response forgery attacks.

How CleanINTERNET DNS conforms:

CleanINTERNET DNS performs full DNSSEC validation on all upstream DNS responses. The service's recursive resolvers are configured to ensure that forged or tampered responses from upstream authoritative servers are detected and rejected before any intelligence evaluation occurs. CleanINTERNET DNS logs also include a DNSSEC status field for each query, providing visibility into the validation state of every resolution.

Architectural note on client-side DNSSEC:

Any protective DNS service that modifies DNS responses — whether to block a malicious domain, substitute a sinkhole address, or remove a threat-associated IP — necessarily invalidates the original DNSSEC signature on that response. This is an inherent property of DNSSEC by design: signatures attest to the original data, and any modification breaks that attestation.

CleanINTERNET DNS handles this transparently. When a response is modified for security enforcement, CleanINTERNET DNS clears the DNSSEC authentication bits so that downstream resolvers do not receive a falsely signed response. Clients should be configured to trust CleanINTERNET DNS as their recursive resolver and not perform independent DNSSEC validation on responses received from CleanINTERNET DNS. This is the same trust model used by all protective DNS services that perform response modification, and is consistent with the hybrid deployment architecture described in Section 2.1 of the publication.

Critically, this does not weaken the security of the DNS resolution chain — CleanINTERNET DNS validates upstream, and the connection between client and CleanINTERNET DNS is secured by the organization's network architecture (and optionally by DoH encryption). The upstream integrity guarantee provided by DNSSEC is preserved; the client simply delegates that verification to CleanINTERNET DNS rather than performing it locally.

Summary: NIST 800-81r3 Conformance Matrix

Deployment

Adopting CleanINTERNET DNS to meet NIST 800-81r3 guidance requires no architectural changes to your existing network:

1. Configure your DNS servers to forward queries to the CleanINTERNET DNS service endpoints
2. Block outbound DNS to unauthorized resolvers (per Section 4.2.2)
3. Review DNS logs — your security team gains immediate visibility into blocked threats and DNS activity

Typical deployment time: under one hour. No hardware installation, no agent deployment, no changes to endpoint configurations.

About This Document

This conformance mapping references NIST Special Publication 800-81 Revision 3: Secure Domain Name System (DNS) Deployment Guide, published March 2026. The full publication is available here.

NIST's identification of specific technologies or services in SP 800-81r3 does not imply recommendation or endorsement. This document represents Centripetal's assessment of how CleanINTERNET DNS capabilities align with the publication's guidance.