Anthropic-Cybersecurity-Skills/skills/implementing-zero-trust-dns-with-nextdns/references/standards.md

Standards Reference: Zero Trust DNS with NextDNS

DNS Security Standards

RFC 8484: DNS Queries over HTTPS (DoH)

• Encrypts DNS queries over HTTPS on port 443
• Prevents DNS eavesdropping and manipulation
• Browser and OS-level support

RFC 7858: DNS over Transport Layer Security (DoT)

• Encrypts DNS queries over TLS on port 853
• Dedicated port enables network-level policy control
• Supported by Android 9+, systemd-resolved, Unbound

RFC 9250: DNS over Dedicated QUIC Connections (DoQ)

• Lower latency than DoH/DoT
• Multiplexed queries without head-of-line blocking
• Supported by NextDNS and Adguard

NIST SP 800-81-2: Secure Domain Name System Deployment Guide

• DNS infrastructure security requirements
• DNSSEC validation recommendations
• DNS monitoring and logging guidance

Zero Trust DNS Standards

Microsoft ZTDNS (Windows 11)

• Enforces that endpoints only use approved DNS resolvers
• Windows Firewall blocks traffic to domains not resolved through protected DNS
• Integration with Windows Defender for endpoint protection

CISA ZTMM - Network Pillar

• DNS encryption requirement for zero trust compliance
• DNS monitoring for visibility and analytics
• DNS filtering as network security control

Compliance Mapping

NIST SP 800-53

• SC-20: Secure Name/Address Resolution Service (Authoritative Source)
• SC-21: Secure Name/Address Resolution Service (Recursive or Caching Resolver)
• SC-22: Architecture and Provisioning for Name/Address Resolution Service
• SI-4: Information System Monitoring (DNS logging)

CIS Controls v8

• Control 9.2: Use DNS Filtering Services
• Control 9.3: Maintain and Enforce Network-Based URL Filters
• Control 13.3: Deploy Network Intrusion Detection (DNS monitoring)