Implicit Deny ALL for DNS Resolution

Implicit Deny ALL for DNS Resolution

The principle of least privilege (PoLP), also known as the principle of minimal privilege or the principle of least authority, requires a process or function must be able to access only the information and resources that are necessary for its legitimate purpose.

While the DNS has many flaws, its recursion "feature" is inherently a major security weakness. A recursive DNS lookup is where a DNS servers will attempt to find an an IP address for a fully qualified domain name.

Unlike DigitalStakeout PDNS, DNS servers do not have any security feature to quickly modify allowed resolution to implicitly deny resolution.

In a critical incident or breach situation, you may be forced to immediately block, log and analyze all outbound DNS traffic across your enterprise endpoints and sites to rapidly contain an evolving threat. With DigitalStakeout PDNS,, you can flip a switch and immediately block all external resolution and mitigate an egress cyber threat.

Security Policy Default Actions

Allow Traffic - This is the default setting in a security policy. This allows all DNS queries to be performed and then they are processed by DigitalStakeout PDNS, order of operations.

Block Traffic - This setting implicitly will drop all DNS traffic. Unless you specifically allow domains to be accessed in a policy list, DNS resolution will be blocked.

    • Related Articles

    • Default DNS Security Policy Overview

      You are in 100% control as to how DigitalStakeout PDNS protects your systems.  Below is a detailed overview the your default security policy options. The default security policy is a good starting point for protecting your network and endpoints from ...
    • DNS Acronyms

      These acronyms and terms are frequently used when discussing securing DNS. DNS: Domain Name System. This is a system that translates human-readable domain names (such as into numerical IP addresses that computers can use to ...
    • DNS Return Codes

      There are many reasons why a DNS query may succeed or fail. Below is a list of the return codes and what they mean. You can filter for DNS response codes in your DigitalStakeout Securd DNS Dashboard and Log Analytics. 0: NoError. This indicates that ...
    • Allow or Block DNS Resolution to Domains

      When to block and allow sites Use the block list and allow list functionality to make granular block and allow settings in a DigitalStakeout PDNS security policy. Block and allow domain options Block site at the hostname, domain or tld level – ...
    • Configure DNS-over-HTTPS for Windows 10 (Build 19628 or Newer)

      REQUIRED: Windows 10 (Build 19628 or Newer) REQUIRED: MOBILE DOH ADDRESS PREFIX REPLACE {DOH PREFIX} with your DoH prefix. Enable DoH in Windows 10 • Open the Registry Editor (regedit). • Navigate to the following registry key: ...