Ensure DNS Traffic is Encrypted When Supported
DNS data is encrypted whenever possible for added security.
Plain language
When you browse the internet, your computer needs to find the address of the site you are visiting. This is done through a system called DNS, which stands for Domain Name System. If DNS traffic is not encrypted, hackers could potentially see where you are going online and redirect you to fake sites, which means your data and privacy could be at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
DNS traffic is encrypted by clients and servers wherever supported.
Why it matters
Without encrypted DNS traffic, attackers can intercept queries, exposing sensitive data and redirecting users to malicious sites, impacting trust and privacy.
Operational notes
Regularly verify DNS encryption support and keep DNS over HTTPS/TLS configured and updated across clients and resolvers in line with current best practice.
Implementation tips
- System administrator should choose a secure DNS provider: Select a DNS service that supports encryption and is known for its strong privacy practices. You can find recommendations from reliable sources like the Australian Cyber Security Centre (ACSC).
- Managers should educate staff about the risks of unencrypted DNS: Organise a short meeting or email to explain why encrypting DNS is important and how it protects the business. Use simple examples, such as how encrypted DNS prevents visiting fake or harmful websites.
- IT support should perform regular checks on DNS settings: Use network monitoring tools to verify that DNS encryption is consistently applied across the entire network. This can be done by checking that known encrypted DNS servers are being used and configured correctly.
Audit / evidence tips
- AskThe DNS configuration policy: Request the organisation’s policy document that outlines DNS encryption requirements GoodIncludes specific mentions of DNS-over-HTTPS or DNS-over-TLS
- AskEvidence of DNS provider choice: Obtain documentation showing the chosen DNS provider and its encryption capabilities GoodIncludes confirmation of encryption support
- AskNetwork audit logs or reports: Request logs that show attempts to connect to DNS servers over encrypted and unencrypted connections GoodShows a high percentage of traffic using encryption
- AskTo see staff training records on DNS security: Request training materials or attendance logs related to DNS and encryption GoodIncludes recent training sessions or communications
- AskDocumentation of vendor requirements for DNS encryption: Request documents outlining requirements for IT vendors to provide DNS encryption capacities GoodEnsures all IT providers are tasked with offering encrypted DNS solutions
Cross-framework mappings
How ISM-2017 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.20 | ISM-2017 requires DNS traffic to be encrypted between clients and servers wherever supported to protect DNS queries and responses from in... | |
| Annex A 8.24 | ISM-2017 requires organisations to encrypt DNS traffic where supported, typically via cryptographic protections at the transport or appli... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.