top of page

Protective DNS Filtering

Cloud-delivered DNS Security with DigitalStakeout PDNS solves the problem of a defending against a continuously expansive DNS attack surface for any size organization.


Cyber criminals launch hundreds of malicious domains and compromise thousands of websites daily, and "leading" DNS and web security solutions persistently fail to defend organizations from the threat. DigitalStakeout PDNS prevents bad actors from using compromised and disposable Internet resources to deploy cyber attacks.



  • Protect against phishing, ransomware and other malware.

  • Proactive defense from new and dynamically generated C2 domains.

  • Continuous protection from millions of malicious and compromised domains.

  • Granular security policies, block pages and advanced security features.


  • Agent-less protection for static IP locations over IPv4 and IPv6.

  • DoH and DoT support for browser-based deployments.

  • Off-network roaming client to protect end-users wherever they go.

  • Multi-tenant design to support any type of organization or service provider.


  • Low-latency 100% highly-available global anycast network across 30+ regions.

  • Fallback to a protected network with up to 100gbps/s DDoS mitigation.

  • Use up to 4 DNS pairs to support multiple polices from one source IP.

  • Publish security policies to take effect across our global network in 10ms.

Open a Free PDNS Account Now

Protecting Recursive DNS

Before DigitalStakeout PDNS, bad actors mostly had unfettered agility on the Internet to target your organization. They could stand up new domains, websites, and infrastructure with little or no effort. You would hope that Cisco Umbrella, DNSFilter or a free DNS service like Quad9 would filter the domain and block access to the emerging threat. However, advanced persistent threat (APT) groups and modern cyber criminals have the resources, patience, and methods to bypass almost all DNS security defenses. To defend against this threat, it takes a different way of thinking to solve a long lived DNS security problem. DigitalStakeout PDNS assumes every domain is hostile and only allows learned and trusted DNS resolution.

  • Block newly registered domains in real-time.

  • Block newly observed domains in real-time.

  • Block dormant or awakened domains in real-time.

  • Disrupt malware downloads and phishing without delay.

  • Block malicious domains in 15+ threat categories.

  • Create implicit deny zero-trust DNS security policies.

  • Enforce DNS security over IPv4 and IPv6.

  • Forward enriched DNS logs in real-time to your XDR/SIEM/syslog/loganalysis tools.


CISA Recommends Protective DNS

“Selecting a protective Domain Name System (PDNS) service as a key defense against malicious cyber activity. Protective DNS can greatly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking known-malicious domains. Additionally organizations can use DNS query logs for incident response and threat hunting activities. CISA encourages users and administrators to consider the benefits of using a protective DNS service.”




Use Cases & Need

Harden DNS Resolution

Cyber threat actors are hoping that you allow anything to resolve on DNS or that use use generic DNS filtering. Can your endpoints, servers, and devices can resolve and connect to any newly registered domain on the Internet? If so, you have a major DNS attack vector vulnerability. DigitalStakeout PDNS enables you to automatically train explicit DNS resolution profiles to support systems to resolve only the domains they need to function.

Reduce Malware Infections

The overwhelming majority of domains your endpoints will ever access on a repeated basis will be a material fraction of the what can be resolved on the Internet. When endpoints resolve new domains, the risk of resolving a malicious or compromised system increases exponentially. Prevent phishing attacks and reduce malware infections with ransomware by reducing the amount of potential hostile Internet your endpoints can access. DigitalStakeout Securd virtually creates a barrier between the infrastructure cyber criminals establish to attack your endpoints.

Get CMMC Compliant

In January 2020, the US Department of Defense (DoD) released the first version of its Cybersecurity Maturity Model Certification (CMMC) standard. Starting May 2023, DoD contractors will be required to be accredited to the standard. Comply with DNS Filtering requirements for different cyber maturity levels with DigitalStakeout Securd. Protect controlled unclassified information (CUI) and reduce the risk of Advanced Persistent Threats (APT) and comply with SC.1.175, SC.3.192, SC.4.199, SC.4.229, SC.5.198 DNS security compliance requirements.

Zero Trust DNS

Zero Trust is a security concept that establishes organizations should not automatically trust anything. As DigitalStakeout, we believe a foundational approach to defending against modern phishing and malware requires this to be applied to all DNS resolution. Why do you need to use a zero-trust approach for DNS? It is very simple, you don’t have the time, or most security products don’t have the intelligence to protect your organization from a wack-a-mole cyber security approach to malware and phishing. Unlike any other DNS provider, DigitalStakeout Securd assumes every domain is hostile and organizations can configure DNS queries that restrict resolution to required, reputable, and trustworthy domains.


DigitalStakeout is trusted by leading brands and organizations across all markets.

bottom of page