CISA Launches its Protective DNS Resolver with General Availability for Federal Agencies


Eric Goldstein, Executive Assistant Director for Cybersecurity

Every day, our federal government faces malicious cyber activity that could result in impacts to essential services or unauthorized access to sensitive data. At CISA, we work hand-in-hand with federal agencies and the private sector to ensure that the best possible capabilities are in place to reduce the likelihood of damaging incidents. A key aspect to this approach is our provision of shared services that allow CISA to offer agencies best-in-class, affordable, and scalable capabilities that address significant threats while providing CISA with visibility into cybersecurity threats facing the federal civilian executive branch (FCEB).

Today, we are excited to announce that Protective Domain Name System (DNS), our latest shared service offering, is available to all federal civilian agencies. This service is made available through the work of CISA’s Cybersecurity Shared Services Office and, in particular, Christopher Villas, our Protective DNS Service Product Manager, and Branko Bokan, the Lead Technical Advisor. After successful testing with a limited number of agencies, we are now actively onboarding agencies into this service with modernized capabilities to detect and prevent threats in internet traffic and raise our collective cyber defense.

DNS resolves human-readable host names to Internet Protocol (IP) addresses. DNS Infrastructure is a common threat vector for attack campaigns. Protective DNS shields federal users and organizations from reaching known or suspected malicious destinations with a cutting-edge capability that safeguards network connections. It also empowers FCEB agencies with better visibility into their own internet traffic, providing real-time logs, reports and other insights into an ever-evolving cyber threat landscape.

But technology alone would not be enough to make a service like Protective DNS truly worthwhile. Domain and Internet Protocol security hinge on good feedback from those who depend on it. Our team determined specific system requirements through months of beta testing with partner agencies and from the input of DNS subject matter experts. The perspective from these early adopters has helped CISA create a service that will meet the needs of the FCEB community in the present day and beyond.

Protective DNS safeguards the federal enterprise through the following features:

  • Expanded Coverage. Traditional on-premises networks, cloud-based assets, as well as roaming and mobile devices are protected, regardless of their location.
  • Enhanced Threat Intelligence. Commercial threat intelligence feeds provide greater comprehensive threat detection and prevention.
  • Real-Time Alerts. The service’s application programming interface increases early response capabilities by way of rapid threat notifications.
  • Increased Visibility and Accessibility. Agencies benefit from access to threat trends and full DNS traffic logs, shining a light on common threats.
  • Zero-Trust Alignment. The latest and greatest cybersecurity principles ensure full protection, no matter how and where agency devices connect. 

Protective DNS is now available to all agencies. For more information about this and other shared services, FCEB agencies may contact the CISA’s Cybersecurity Shared Services Office at While CISA’s legal authorities currently limit provision of Protective DNS to FCEB agencies, all other organizations should visit our Cyber Resource Hub for additional available services.