Protective Domain Name System (DNS) Resolver
Description
CISA launched the Protective Domain Name System (DNS) Resolver service in 2022 as a successor to E3A, which helped to address a congressional mandate that all federal civilian executive branch (FCEB) agencies utilize a CISA-managed intrusion detection and prevention system. Protective DNS is part of CISA’s mission — and the national effort — to manage and reduce risk to cybersecurity and to provide greater awareness of the threat landscape.
The service safeguards federal agencies by preventing network traffic from reaching destinations that could be malicious, assisting to build resilience against intrusions and compromises.
CISA's Protective DNS service is implemented upstream from agency networks and does not interfere with internal DNS architecture (for example, internal caching resolvers).
The traffic from mobile, roaming and cloud assets flows into the Protective DNS directly. DNS queries pass through Protective DNS Resolvers for active traffic filtering. If Protective DNS finds a match between the DNS request and a threat intelligence indicator, the service blocks, redirects, or sinkholes the query response and sends an alert to the origin agency and to CISA.
In addition to mandated implementation for FCEB agencies, the Protective DNS Resolver service is open to critical infrastructure (CI) entities on a limited basis through the CI Pilot program. CISA offers the service at no cost to participating FCEB agencies and pilot program organizations.
Contact
For more information about CISA’s Protective DNS Resolver service, agencies may contact cybersharedservices@cisa.dhs.gov.