Blog post

Protective DNS service for the public sector is now live

Created:  17 Aug 2017
Updated:  17 Aug 2017
Author:  Ian Levy
Chancellor Philip Hammond

Back in November, the Chancellor launched the National Cyber Security Strategy. In it, we said we’d build services to protect the public sector from potential cyber attacks, as well as help them to become more cyber resilient.

One of those services is our UK Public Sector DNS service for the public sector. The internet facing resolver is now up and running with 44 organisations using it and it’s doing some cool stuff; actively protecting subscribers from attacks and helping us detect existing weirdness. For instance, based on current statistics, there were 264,954 blocks, of which 8,466 were unique per-customer per-day, and 3,312 were truly unique. The companion PSN resolver is due to become available by the end of 2017. We’ll talk about the things we’re seeing in due course, but we think we’ve already proven the value the service can bring.

Matt Philpott, Director of Infrastructure and Platforms at the Home Office said:

“The Home Office already includes an extensive array of security controls to protect our services, but the Public Sector DNS service provides an additional level of protection and monitoring for the Home Office which is free of charge. Using this service means we have an additional method to detect and block attempts to access malicious web sites which may not be otherwise be known by commercial protection products.”

I understand that people would be nervous of using a critical service like DNS if the NCSC had built it, so we didn’t. Nominet, the UK Registry, has a 20-odd year history of running national scale DNS with cracking uptime, so we asked them to do it for us. You already rely on them for anything ending in .uk, so relying on them for your recursive DNS service doesn’t change much in terms of business risk.

The Cabinet Secretary wrote to all permanent secretaries recently, saying that departments should use the protective services we’re providing. To make that easier for DNS, we’ve aggregated all the information public sector organisations need to get onto the service here.

I’d strongly encourage you to get onto the UK Public Sector DNS service as soon as you can. However, if you have any queries or issues, please visit our information page with details of how to get in touch and instructions on how to register.

Ian Levy
Technical Director, NCSC


Steven Murdoch - 18 Aug 2017
What's the criteria for blocking domains? If a particular DNS name is used purely for malware C&C then it would be a clear case for blocking, but what about less clear-cut cases?

For example, are the Tor Project domains blocked? They often are in corporate systems, with the rationale that people can download Tor in order to bypass monitoring, but equally learning more about Tor and other Internet security technologies is a legitimate and important part of many people's jobs.

As the NCSC service is government only, the negative impact of over-blocking is restricted, but the government is an important and influential organisation so what steps are taken to avoid harm?
Ian Levy - 22 Aug 2017
The intent is to stop actual harm to subscribing organisations and that means clearly identifying what bad thing would happen if we didn't block. Currently, we're just doing malware and direct phishing (the policy is published at but we do have plans to extend to other sorts of *direct* harm. We'll always publish what we're going to do and the criteria used to make decisions and there's certainly no intention to restrict access to content using this system unless it causes direct cyber security harm.

As to Tor Project domains (and other things like it) they don't cause direct harm so wouldn't be blocked by our Protective DNS service. If departments feel they need to do so, that's their call. For what it's worth, I don't think public sector employees should be using public sector systems to bypass lawful business monitoring, but my opinion isn't what matters. Of course, if departments are following our end user device guidance, they should have software execution restriction policies in place and so an end user wouldn't be able to install and run arbitrary code, be that malware or a Tor client.

Hope that helps.
Steven Murdoch - 23 Aug 2017
Thanks for your response and the very helpful clarifications. That does sound like a reasonable policy (and it’s great that blocking criteria are transparent). As we've seen from blocking on consumer Internet connections, sometimes mistakes happen, and so transparency around the full process is a helpful way of mitigating the risk of over-blocking. The IWF have some guidance here which is at least partly applicable, however as you know DNS inherently is more liable to under/over-blocking than the URL blocking the IWF support

[too be continued, as blog comments are limited in length]
Steven Murdoch - 23 Aug 2017
Specifically for Tor (and things like it), I am very sympathetic to government and business IT administrators who choose to prevent software from running on their equipment, and/or communicating with their network, when doing so would be contrary to appropriate monitoring or other policies (provided exceptions can be made when needed). The problem I've encountered is rather DNS over-blocking preventing access to information about Tor (e.g. blog posts and technical reports), rather than the Tor software itself.

I even encountered a case where an organisation was sponsoring Tor, and it was a key component of their Internet strategy, yet their staff were blocked from getting usage statistics. Not only did this interfere with the jobs of staff directly involved in Tor, but also gave their colleagues the incorrect impression that Tor belongs in the same category of other sites blocked (malware distribution and pornography). There were too many layers of out-sourcing and inflexible policies for anything to be done about it.
NCSC Communications Team - 28 Aug 2018
This blog is now closed to comments.

Was this blog post helpful?

We need your feedback to improve this content.

Yes No