Use Protective DNS to Block Malicious Domains
A service that prevents access to harmful website addresses.
Plain language
A protective DNS service acts as a filter for internet connections by blocking access to known harmful websites. This matters because if you're not blocking these bad sites, you risk exposing your systems to viruses, data theft, or disruptions that can damage your business or organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
A protective DNS service is used to block access to known malicious domain names.
Why it matters
Without protective DNS filtering, users may resolve and connect to known malicious domains, increasing malware infection and credential theft risk.
Operational notes
Ensure the protective DNS service ingests current threat intel feeds and review allow/block exceptions regularly to prevent bypass and false positives.
Implementation tips
- IT team should set up a protective DNS service: Choose a DNS provider that offers security filtering, such as blocking malicious websites. The team needs to configure network settings to route all internet traffic through this secure DNS to ensure any harmful sites are intercepted.
- Managers should mandate DNS protection in IT policies: Update organisational policies to require all internet traffic to use the protective DNS service. Clearly communicate this policy to all staff and ensure everyone understands the importance of not bypassing it.
- System administrators should regularly update DNS filtering lists: Check for updates from the DNS provider and apply them to your network. This ensures that the DNS service is equipped with the latest information on new threats and blocked sites.
- Procurement should evaluate DNS service options: When acquiring a DNS service, assess each vendor's security features and support capabilities. Choose a provider that offers robust protection and regular threat intelligence updates.
- Training coordinators should educate staff on DNS protections: Organise informational sessions for employees explaining the purpose of the protective DNS and how it safeguards their work. Use examples of what could happen without these protections to reinforce the message.
Audit / evidence tips
-
Askthe DNS service agreement: Request to see the contract or agreement with the DNS provider
Goodincludes documented terms of service clearly mentioning protection against malicious domains
-
Askthe network configuration settings: Request a demonstration or a document showing how internet traffic is routed through the protective DNS
Goodis a configuration showing no bypasses and using only authorised DNS settings
-
Askthe DNS filtering update logs: Request records or logs showing when and how the DNS filtering lists are updated
Goodincludes a regular update schedule with evidence of the most recent updates
-
Askpolicy documents: Request documentation that mandates the use of the protective DNS in organisational policies
Goodincludes clear directives and employee acknowledgement of these policies
-
Asktraining records: Request records of training sessions about DNS protection
Goodincludes recent and relevant training sessions conducted for all employees with an understanding of DNS protections
Cross-framework mappings
How ISM-1782 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1782 requires implementing protective DNS to block resolution of known malicious domains, reducing exposure to malicious infrastructure | |
| handshake Supports (1) expand_less | ||
| Annex A 8.7 | ISM-1782 requires using protective DNS to block access to known malicious domains, helping prevent users and systems from reaching malwar... | |
| link Related (1) expand_less | ||
| Annex A 8.23 | Annex A 8.23 requires external website access to be managed to reduce exposure to malicious content | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.