Do you block known-malicious websites at the network or DNS level (1.1.1.1 for Families, NextDNS, etc.)?
Demonstrate that the organization actively blocks DNS queries and network connections to known-malicious domains using continuously updated threat intelligence feeds at the network or DNS resolver level.
Description
What this control does
This control requires the organization to block access to known-malicious websites using network-layer or DNS-layer filtering services such as Cloudflare for Families (1.1.1.1), Cisco Umbrella, NextDNS, or similar protective DNS resolvers. These services maintain continuously updated threat intelligence feeds and block DNS resolution or network traffic to domains associated with malware distribution, phishing campaigns, command-and-control infrastructure, and other malicious activity. Implementation typically involves configuring endpoints, routers, or DNS servers to use protective resolver IP addresses or deploying inline filtering appliances that inspect and block requests before they reach malicious destinations.
Control objective
What auditing this proves
Demonstrate that the organization actively blocks DNS queries and network connections to known-malicious domains using continuously updated threat intelligence feeds at the network or DNS resolver level.
Associated risks
Risks this control addresses
- Employees access phishing sites that harvest credentials or deliver social engineering attacks, leading to account compromise
- Endpoints download malware from known malicious distribution sites, resulting in ransomware infection or data exfiltration
- Compromised devices establish command-and-control channel communications with attacker infrastructure, enabling persistent unauthorized access
- Drive-by download attacks execute when users browse compromised legitimate sites that redirect to exploit kit domains
- Data exfiltration occurs through DNS tunneling to known malicious domains that evade traditional perimeter controls
- Zero-day malware communicates with newly identified malicious infrastructure before endpoint protection signatures are available
- Mobile and remote workers bypass corporate security controls and access threats directly when not protected by DNS-layer filtering
Testing procedure
How an auditor verifies this control
- Inventory all DNS resolver configurations across corporate networks, branch offices, VPN concentrators, and endpoint management systems to identify which protective DNS services are deployed.
- Review network architecture diagrams and firewall configurations to confirm DNS traffic is forced through protective resolvers and cannot be bypassed by users configuring alternative DNS servers.
- Examine the configuration settings of deployed DNS filtering services to verify threat intelligence feeds are enabled, including malware, phishing, botnet, and command-and-control blocking categories.
- Test DNS resolution from representative endpoints on corporate networks by querying known-malicious test domains (such as those provided by the filtering vendor or EICAR-equivalent DNS test domains) and verify queries are blocked.
- Review DNS query logs or filtering service dashboards for a 30-day period to confirm blocked query events are being logged and identify the volume of malicious domains blocked.
- Verify remote and mobile workers are protected by examining VPN configurations for forced DNS settings or endpoint agent deployments that enforce protective DNS regardless of network location.
- Interview network and security operations staff to confirm processes exist for monitoring blocking effectiveness, reviewing false positives, and maintaining current subscription or feed updates.
- Simulate a phishing scenario by attempting to access recently identified phishing domains from sample endpoints and document blocking behavior and user notification mechanisms.