IG1 IG2 IG3

Use DNS Filtering Services

Control Group: 9. Email and Web Browser Protections

Asset Type: Network

Security Function: Protect

Description

Use DNS filtering services on all enterprise assets to block access to known malicious domains.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Implement DNS filtering/security solution

7

Configure blocking of known malicious domains

8

Enable DNS query logging and monitoring

Tool Recommendations

Zscaler Internet Access Gartner MQ Leader, SSE 2024

Cloud-native secure web gateway with inline inspection, URL filtering, sandboxing, and DLP for web traffic

Zscaler · Per-user subscription

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Fortinet FortiGate Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services

Fortinet · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Malware Callback to Known Command-and-Control Domains

Confidentiality

Malware on enterprise assets communicates with known malicious domains for command-and-control instructions, payload downloads, and data exfiltration, and without DNS filtering these connections succeed unimpeded.

Phishing Domain Access Leading to Credential Theft

Confidentiality

Users click phishing links that resolve to known malicious domains mimicking legitimate login pages, and without DNS-level blocking these domains are freely accessible, enabling credential harvesting at scale.

Cryptojacking and Malvertising Domain Connections

Availability

Enterprise assets connect to domains hosting cryptomining scripts or malicious advertisements that deliver drive-by downloads, consuming resources and potentially installing malware because no DNS filtering blocks these known threats.

Vulnerabilities (When Safeguard Absent)

No DNS Filtering Service Deployed

Enterprise assets resolve DNS queries without any filtering, allowing connections to known malicious domains, phishing infrastructure, and threat actor command-and-control servers without any prevention or alerting.

DNS Filtering Bypass via Direct IP or External DNS

Even where DNS filtering exists, endpoints can bypass it by using hardcoded IP addresses or external DNS resolvers (DoH, DoT) that are not blocked at the network perimeter, negating the protection.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	DNS filtering configuration and block statistics	Monthly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Secure Configuration Management Policy

Control 4, Control 9, Control 12

Email Security Policy

Control 9

Related Safeguards in Control 9

9.1 Ensure Use of Only Fully Supported Browsers and Email Clients

9.3 Maintain and Enforce Network>Based URL Filters

9.4 Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

9.5 Implement DMARC

9.6 Block Unnecessary File Types

9.7 Deploy and Maintain Email Server Anti>Malware Protections