PDNS for Simplifying & Aiding Regulatory Compliance

Whalebone Immunity is a Protective DNS (PDNS) solution tailored for government institutions and other critical infrastructure – to mitigate cyber threats, enhance resilience, and help address regulatory mandates. This document explores how Whalebone safeguards critical sectors, strengthens overall security operations, and supports compliance efforts with multiple global regulatory frameworks.

Table of Contents

INTRODUCTION

EXPERT RECOMMENDATIONS

• Cyber Security Agency of Singapore (CSA): Domain Name System Security Extensions (DNSSEC)
• CISA Emergency Directive 19-01: “Mitigate DNS Infrastructure Tampering”
• Gartner Research: Quick Answer: How Can Organizations Use DNS to Improve Their Security Posture?
• GigaOm analyst Paul Stringfellow, in DNS Security: The Forgotten Hero of Your Cybersecurity Strategy
• UK National Cyber Security Centre: Protective DNS for the Private Sector
• UK National Cyber Security Centre: Protective Domain Name Service (PDNS)
• Former US Deputy National Security Advisor and NSA Director Anne Neuberger

COMPLIANCE CONSIDERATIONS

• Australian Signals Directorate (ASD), Gateway Security Guidance Package: Gateway Technology Guides
• CISA, Selecting a Protective DNS Service
• CIS: The Center for Internet Security DNS BIND Benchmark, v.1
• Health Law Advisor: Harden Your Organization’s Domain Name System (DNS) Security to Protect Against
• Damaging Data Loss and Insider Threat
• NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council
• United States Executive Office of the President: Memorandum for the Heads of Executive Departments and Agencies: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles

FOR COMMUNICATIONS SERVICE PROVIDERS (CSPs)

• New Countries and EU Regulations
• Compliance in One Click

HOW WHALEBONE’S DNS SECURITY AIDS TOWARD REGULATORY COMPLIANCE EFFORTS

• What to Do Next

INTRODUCTION

Whalebone Immunity operates as a protective DNS (PDNS) solution, the likes of which is recommended – and in some cases mandated – by governmental cybersecurity agencies such as the USA's CISA, the UK’s NCSC, the EU's ENISA, and Australia's ASD. DNS security not only mitigates risk but also helps to align with regulations and benchmarks that require organizations to protect their infrastructure, data, and users from cyber threats.

Regulatory frameworks such as the European Union’s NIS2 mandate high availability and resilience for critical cybersecurity infrastructure. Whalebone integrates seamlessly with existing infrastructure to reduce the risk of cyber threats and ensure high availability that aligns with global governments’ cybersecurity standards. Its approach to secure DNS ensures that organizations can meet mandatory security measures designed to protect their networks and users, supporting regulatory compliance, resilience, and both internet and security autonomy.

Whalebone Immunity is essential for critical infrastructure sectors – such as energy, healthcare, telecommunications, and transportation – because it delivers robust DNS security that addresses their unique vulnerabilities and regulatory needs. By blocking access to malicious domains and command and control (C2) servers, Whalebone Immunity prevents malware, ransomware, and other cyber threats from disrupting essential operations and accessing sensitive systems, such as supervisory control and data acquisition (SCADA) and industrial control systems. This DNS-layer protection ensures that critical infrastructure remains resilient and operational, even amid sophisticated cyberattacks – vital for sectors that require uninterrupted service.

The solution also aids in regulatory compliance by aligning with standards like the NIS2 Directive, GDPR, HIPAA, and others. Whalebone Immunity’s high availability and ease of integration further support these sectors' compliance needs, enabling reliable and seamless protection without disrupting current systems or operations.

By offering advanced threat intelligence and rapid incident response capabilities, Whalebone Immunity strengthens the overall cybersecurity posture of critical infrastructure, allowing organizations to secure their networks while embracing digital innovations like IoT and remote monitoring. In summary, Whalebone Immunity supports the operational continuity, stability, and safety of society’s most essential services.

Integrating PDNS as part of a zero-trust DNS (ZTDNS) strategy supports compliance with data protection and both national and vertical-specific cybersecurity regulations around the world. By enforcing encrypted DNS requests, identity-based access controls, and continuous monitoring, a PDNS solution like Whalebone Immunity restricts unauthorized data access and prevents the exfiltration of sensitive information. These controls help organizations demonstrate accountability and data protection by design, aligning with regulatory requirements for data confidentiality, breach mitigation, and robust access management in DNS services.

To fully understand the role of Whalebone Immunity in strengthening critical infrastructure and meeting regulatory demands, it’s essential to examine the guidance offered by industry experts and the compliance frameworks shaping cybersecurity today. Below, we present key recommendations from professionals and an analysis of compliance considerations that highlight how PDNS solutions, like Whalebone, align with best practices and mandatory standards.

EXPERT RECOMMENDATIONS

Industry experts emphasize the importance of adopting robust and easily integrated cybersecurity solutions to address evolving threats. Their recommendations highlight the growing reliance on DNS security as a critical component of protecting infrastructure and data. Below, we explore several key insights from cybersecurity professionals on the value of PDNS solutions like Whalebone in safeguarding critical operations and enhancing cybersecurity postures.

Cyber Security Agency of Singapore (CSA): Domain Name System Security Extensions (DNSSEC)

• "DNSSEC protects against 'man-in-the-middle' DNS spoofing attacks and 'cache poisoning' by ensuring DNS information is validated cryptographically before the DNS server redirects the end-user to the website."
• "DNSSEC addresses security risks in the DNS protocol by adding authentication for responses received from DNS servers, preventing DNS spoofing, cache poisoning, and hijacking."
  
  

CISA Emergency Directive 19-01: “Mitigate DNS Infrastructure Tampering”

• "Select and use a PDNS system as part of a layered defense-in-depth strategy[...] enterprise PDNS services that provide malicious activity alerts, enterprise dashboard views, historical logging and analysis, and other enterprise-focused features are recommended for enterprise networks. Additionally, due to DNS being foundational to most online activity, ensure that PDNS is provided as a high availability service."
  
  

Gartner Research: Quick Answer: How Can Organizations Use DNS to Improve Their Security Posture?

• "Organizations should implement DNS security to protect users, devices and other critical infrastructure."
  
  

GigaOm analyst Paul Stringfellow, in DNS Security: The Forgotten Hero of Your Cybersecurity Strategy

• "[A]lmost all cyberattacks will start by interacting with DNS. Whether it’s a simple phishing email or the beginnings of a complex malicious code deployment or data theft, the bad actor is very likely to make a DNS call, be that to a malicious website or some kind of command and control service."
• "DNS security tools add value by identifying risks and potential threats at these very early stages, which we can proactively isolate and mitigate, improving security and lowering the risk of an attack on our organization."
• "DNS security solutions are easy to deploy, with a low-risk integration into your current environment and little if any impact on users."
• "Even with basic levels of protection, DNS security solutions can deliver a lot of value to an organization. For example, simply adding the protection service to the DNS resolution path means malicious domains can be quickly blocked, with new domains identified and blocked constantly. Additional filters can also be put in place to block malicious domains by content type, or by category, ensuring users are accessing only sites that are safe, secure, and appropriate. Even for our mobile users, many vendors will provide off-network protection, allowing organizations to protect DNS security regardless of where a user resides or works."
• "If you want a low-risk, high-value cybersecurity investment that will improve your security posture, then I would recommend you look into the DNS security space and understand how it can improve security, reliability, and performance. Put this often forgotten security hero to work for your organization!"

UK National Cyber Security Centre: Protective DNS for the Private Sector

• "Protective DNS (PDNS) systems prevent malicious domains being visited by devices in your network[...] Preventing access to these domains should protect your organisation against malicious actors, making it harder for them to compromise your networks, and harder to exploit any compromises."

UK National Cyber Security Centre: Protective Domain Name Service (PDNS) 

• "PDNS prevents access to domains known to be malicious, by simply not resolving them. Preventing access to malware, ransomware, phishing attacks, viruses, malicious sites and spyware at source makes the network more secure."
• "PDNS block data can be ingested into Security Information and Event Management (SIEM) tools as a source of threat intelligence to help identify and remediate threats. By consuming the data into a SIEM, organisations can consolidate various security logs into a single view, providing further context for blocks by PDNS."

Former US Deputy National Security Advisor and NSA Director Anne Neuberger

• “Our analysis highlighted that using secure DNS would reduce the ability for 92% of malware attacks both from command and control perspective, deploying malware on a given network.”

COMPLIANCE CONSIDERATIONS

Regulatory frameworks around the globe increasingly prioritize DNS security as a fundamental aspect of protecting sensitive data and maintaining service resilience. By examining these frameworks, it becomes evident how PDNS solutions, such as Whalebone, help critical industries align with regulatory requirements to ensure operational continuity, security, and compliance. Below, we look at some compliance considerations published by a sample of cybersecurity authorities.

Australian Signals Directorate (ASD), Gateway Security Guidance Package: Gateway Technology Guides

• "In a gateway context, a DNS can be an effective and scalable mitigation capability against a variety of cyber risks, such as by using DNS filtering to stop undesirable content, or using a Protective DNS (PDNS) service to block malicious domains."
  
  

CISA, Selecting a Protective DNS Service

• "Due to DNS being foundational to most online activity, ensure that PDNS is provided as a high availability service."
• "Due to the centrality of DNS for cybersecurity, the Department of Defense (DoD) included DNS filtering as a requirement in its Cybersecurity Maturity Model Certification (CMMC) standard (SC.3.192). The Cybersecurity and Infrastructure Security Agency issued a memo and directive requiring U.S. government organizations to take steps to mitigate related DNS issues. Additionally, the National Security Agency has published guidance documents on defending DNS."
  
  

CIS: The Center for Internet Security DNS BIND Benchmark, v.1

• "Awareness of protecting DNS servers and services seems to be particularly lagging behind, which is astounding given that DNS serves as the foundation on which these other Internet services depend."
• "So often, the security of DNS services is entirely overlooked or it’s importance is significantly underestimated."
• "Consider how easily an attacker or phisher could reroute your organizations web, e-mail or even VPN traffic to a system of their choice through carefully constructed attacks on DNS services without ever having to compromise the service being spoofed. The approach of using a DNS cache poisoning attack to redirect web users to a fake web site is known as pharming. Given the importance of DNS to most Internet traffic, it is frustrating that many administrators, managers and even service providers do not recognize the importance of securing their DNS environment."
• "The security of an external, Internet-facing DNS service depends on the Domain Name registration process to direct DNS requests to your DNS servers. If an attacker can take over control of you name registration, then there is no need for them to compromise, spoof or otherwise subvert your DNS services, when they can have all of the DNS requests redirected to the DNS servers of their choice. There are of course many authorized name registration providers available now, and the security of your name registration depends on their process for authenticating registration change requests."
• "Since your organizations DNS security is critical to the network services your organization depends on, it needs a dedicated security hardened system with minimal services running."
• "Verify your DNS architecture forwards queries only to trustworthy DNS servers and verify the security of those servers against appropriate security standards such as the CIS BIND Benchmark."
• "DNS servers have been prime targets in the past for DoS attacks, although the effect is not as immediate as DoS attacks against a Web server, DNS server are often easier to attack. Also the DoS attack can have a wider affect by denying effective usage of a wide range of services that depend on DNS. Attacks cover the normal spectrum of everything from crashing the server, exhausting resources on the server, to flooding the network with bogus traffic."
• "Filtering controls on the firewalls and routers in front of the DNS servers can eliminate many forms of unwanted traffic."
• "For DNS server answering Internet queries, deploy redundant servers on different networks. Even smaller companies can afford redundant DNS servers by using inexpensive ISP hosted DNS services."
• "You should prohibit your clients and most servers from sending outbound DNS queries directly to the Internet, and force all the Internet DNS queries to come from your caching DNS server(s) instead."
• "Historically DNS continues to be a problematic service with regard to security in that it is unauthenticated and fairly easily spoofed. By its globally distributed nature it is a protocol that cannot change rapidly with changes requiring extensive coordination."

Health Law Advisor: Harden Your Organization’s Domain Name System (DNS) Security to Protect Against Damaging Data Loss and Insider Threat

• "The importance of the Domain Name System (DNS) to your organization’s cybersecurity cannot be understated."
• "The recent attacks reported by the Department of Homeland Security reinforce the need to protect DNS functionality as a fundamental component of your organization’s overall cybersecurity and compliance strategy."
• "Although there is no specific mention of DNS in HIPAA, the Gramm Leach Bliley Act, the GDPR or State cybersecurity laws or regulations, including California, Massachusetts or New York, an organization cannot comply with those regulatory frameworks requiring reasonable network security safeguards without considering threats to DNS."
  
  

NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council

• Recital 32: "Upholding and preserving a reliable, resilient and secure domain name system (DNS) are key factors in maintaining the integrity of the internet and are essential for its continuous and stable operation, on which the digital economy and society depend."
• Recital 100: "In order to safeguard the functionality and integrity of the internet and to promote the security and resilience of the DNS, relevant stakeholders including Union private-sector entities, providers of publicly available electronic communications services, in particular internet access service providers, and providers of online search engines should be encouraged to adopt a DNS resolution diversification strategy. Furthermore, Member States should encourage the development and use of a public and secure European DNS resolver service."

Additional key sections of the NIS2 Directive that collectively highlight the importance of DNSSEC in ensuring the security and integrity of DNS information under NIS2:

• Article 23: Discusses incident reporting requirements, which reinforce the need for secure DNS operations to maintain trustworthiness in DNS services.
• Article 28: This article mandates cybersecurity measures for critical entities, including DNS service providers, emphasizing the need for accurate domain name registration data to combat DNS abuse.
  
  

United States Executive Office of the President: Memorandum for the Heads of Executive Departments and Agencies: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles

• “Agencies must resolve DNS queries using encrypted DNS wherever it is technically supported.”
• “Agencies should adjust their DNS architecture and associated monitoring to move closer to a zero trust architecture.”
• “Agencies must resolve DNS queries using encrypted DNS wherever it is technically supported.”
• “Among their first priorities, agencies are expected to implement integrity measures limiting access to and allowing cryptographic verification of logs, as well as logging DNS requests made throughout their environment.”

FOR COMMUNICATIONS SERVICE PROVIDERS (CSPs)

Governments worldwide regularly – and with increasing frequency – publish lists of domains to be blocked for various reasons. It can be a major challenge for organizations to keep up with these changing requirements.

Since August 2024, more than 300 Internet Service Provider (ISP) customers of Whalebone now receive detailed information about:

• The authority responsible for the regulation
• Content type in the list (e.g., gambling, CSAM)
• The law or court order the regulation is based on
• Last update (download) of the list in our database
• List of domains included in the regulation (up to 1,000) with a link to the full list if publicly available

Our approach not only simplifies monitoring compliance but also ensures that you are always operating in line with the latest requirements, without needing to manually track changes.

New Countries and EU Regulations

Currently, our compliance tools cover several countries that have implemented content regulations, with more nations being added over time. Whalebone also takes into account European Union regulations related to domains that are subject to sanctions.

For internet operators, this means full readiness for new regulations, without the need to manually track legal updates across Europe.

Compliance in One Click

Whalebone stands out for its ease of configuration and makes regulatory compliance as simple as one click to the policy settings. The feature is not enabled by default – you decide when to activate it.

With the current volume of online content and quickly changing regulations, Whalebone rises to the challenge of being a key partner for communication service providers (CSPs). Whalebone not only offers protection against cyber threats but also provides effective tools for keeping up with legal requirements. This helps to ensure that your network remains both secure and compliant with regulations – with minimal effort.

Learn more about Whalebone features

• For Telco providers, we offer the white-labeled revenue-generating Whalebone Aura
• ISPs can learn here about Whalebone Peacemaker
• Enterprises in charge of critical infrastructure should see Whalebone Immunity
• For Government and Public institutions, there is Whalebone DNS4GOV

HOW WHALEBONE’S DNS SECURITY AIDS TOWARD REGULATORY COMPLIANCE EFFORTS

• Alignment with Key Cybersecurity Frameworks – Regulations such as the EU's NIS2 Directive, GDPR, HIPAA, and other national cybersecurity standards mandate robust protection of data and infrastructure, which Whalebone provides through secure DNS practices.
• High Availability and Resilience – Regulations such as the EU’s NIS2 Directive require critical infrastructure to maintain continuous service and withstand cyber disruptions. Whalebone supports these requirements by offering deployment methods tailored for high availability, helping to ensure uninterrupted operation of customers’ systems even during cyber incidents.
• Data Protection by Design – Whalebone helps organizations demonstrate accountability and encrypted data protection by design. This aligns toward regulations like GDPR and ISO 27001, which emphasize confidentiality, access management, and breach prevention.
• Alignment with ISO Standards – Whalebone’s architecture and practices support key ISO certifications including 9001 (quality management), 27001 and 27018 (information security and data privacy), 22301 (business continuity), and 14001 (environmental management). This alignment helps organizations meet compliance goals across operational quality, data protection, resilience, and sustainability.
• Access Control and Monitoring – Whalebone uses identity-based access controls and continuous monitoring to prevent unauthorized access and exfiltration of sensitive data. These features are essential for demonstrating compliance with global data protection laws.
• Seamless Integration with Existing Systems – The ease of integration with current infrastructure minimizes operational disruption while meeting compliance needs. This reduces the complexity of adopting new security measures required by regulatory standards.
• Threat Intelligence and Incident Response – Whalebone’s Threat Intelligence Exchange Network enhances an organization's incident response capabilities, aligning with compliance requirements for rapid detection and mitigation of threats, as mandated by various cybersecurity standards.

What to Do Next

To explore how Whalebone Immunity has helped customers running critical infrastructure across multiple verticals, see our case studies: https://www.whalebone.io/resources-immunity/tag/case-study 

By proactively addressing these critical aspects, Whalebone supports organizations in achieving and maintaining compliance with global cybersecurity regulations, while also ensuring the resilience and security of their networks.

If you become aware of any new regulations in your country, please feel free to contact us at support@whalebone.io. We are happy to liaise with the relevant authorities to include relevant domain lists for compliance.

Ready to enhance your organization’s compliance and security posture? Contact us today to learn how Whalebone Immunity can support your specific regulatory needs. Or, to schedule a demo or request a free trial, visit https://www.whalebone.io/immunity 

Our proven track record among global telcos, recognition from the European Commission in leading its DNS4EU program, and high rankings from Deloitte and the Financial Times, all reflect our deep expertise in cybersecurity. We are proud to be at the forefront of protecting the digital ecosystem, and we invite you to join us in building a safer, more secure internet.