Protective DNS Policy Configuration Training Video
•February 10, 2026
0
Why It Matters
The Policy Editor gives organizations granular, auditable control over DNS traffic and a mechanism to rapidly apply or exempt indicators from commercial threat feeds while preserving CISA’s baseline protections—improving threat mitigation for roaming endpoints. This workflow balances centralized government protections with enterprise flexibility and oversight, reducing risky resolution traffic with traceable approvals.
Summary
Protective DNS’s Policy Editor lets organizations create, manage and customize DNS filtering rules that sit at an upstream resolver for roaming and mobile devices. Policies exist at two levels—global (CISA-managed) and organizational—and can be static (rule-based) or dynamic (threat-feed driven), with CISA proprietary rules enforced globally and feed-based rules allowing organization-specific exceptions. The video walks through creating a policy (naming, source sets, actions like allow/block/log/override, expressions or CSV upload), running an impact analysis against historical logs, and the two-manager approval workflow required to activate or disable policies. Automated notifications and detailed status/approval history help inform approvers before a policy is approved and takes immediate effect.
Original Description
CISA’s Protective Domain Name System (#ProtectiveDNS) service delivers greater protection, increased visibility, and enhanced capabilities for federal civilian executive branch agencies and select critical infrastructure partners in our mission to reduce cyber risk.
Watch our newest training video for the Protective DNS policy configuration capability.
To learn more about Protective DNS, visit CISA.gov or contact protectivedns@cisa.dhs.gov.
0
Comments
Want to join the conversation?
Loading comments...