Dear Experts of the DNSOP Working Group,
I hope this email finds you well. I am Mingxuan Liu, an Assistant Researcher at Zhongguancun Laboratory. Recently, we have submitted a new standards draft on Protective DNS, titled "Considerations for Protective DNS Server Operators". The draft is available at the following link: https://datatracker.ietf.org/doc/draft-liu-dnsop-protective-dns/ To provide some context: Protective DNS is a defensive mechanism deployed on recursive resolvers, designed to effectively block access to malicious domains. For domains listed on blacklists, Protective DNS rewrites DNS resolution responses to point to secure results (e.g., controlled security servers), thereby preventing users from accessing malicious resources. Given its effectiveness in mitigating common cyber threats (such as command-and-control communications of malware), the deployment of Protective DNS has been on the rise. It is now adopted not only by DNS service providers but also implemented nationwide in some countries. However, recent research has identified discrepancies in current Protective DNS implementations. This document aims to outline specific operational and security considerations for Protective DNS, targeting entities providers to deploy it for defensive purposes by offering guidance on deployment and security best practices. We would greatly appreciate the opportunity to discuss this draft with each expert, with the goal of providing valuable references for the deployment and security of Protective DNS. Your comments and insights are most welcome, and we look forward to engaging in constructive discussions with you. Best regards, Mingxuan Liu Zhongguancun Laboratory Email: [email protected] July 24, 2025
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
