The NCSC Built Protective DNS for Government. Private Sector SMBs Are Still Guessing.
Hello, Mauven here.
The NCSC’s Protective DNS service was launched in 2017 as one of its Active Cyber Defence capabilities. Since then, it has resolved over 2.5 trillion DNS queries and prevented access to 1.5 million malicious domains. In 2024, the NCSC awarded a new three-year contract to Cloudflare and Accenture to continue delivering the service.
That protection covers central government, local authorities, devolved administrations, emergency services, NHS organisations, and the Ministry of Defence. It does not cover your small business. And that gap between public and private sector DNS protection tells us something important about how we approach cyber security in this country.
What PDNS Actually Does
Let me be precise about this, because protective DNS sounds like marketing language until you understand the mechanics.
A protective DNS resolver works exactly like a normal DNS resolver, translating domain names into IP addresses, but with one addition: it checks every query against a deny list of known malicious domains. If a user or a piece of malware attempts to connect to a domain associated with phishing, malware distribution, or command and control infrastructure, the resolver blocks the query. The connection never happens.
This is not content filtering. The NCSC’s PDNS does not block categories of websites or enforce acceptable use policies. It solely blocks domains that have been identified as malicious through threat intelligence feeds.
The elegance of the approach is that it protects at the network layer. Every device that uses the resolver is protected, regardless of whether it has endpoint security installed, regardless of whether the user is security-aware, regardless of whether the device is a laptop, a phone, or an IoT sensor. If it makes a DNS query, the query is checked.
The Private Sector Gap
The NCSC recognises that private sector organisations cannot access the government PDNS service. Their published guidance for private sector organisations is clear: procure protective DNS from trusted commercial providers.
The guidance specifies what to look for. Providers should demonstrate proven cyber security expertise and DNS experience. They should have regularly updated deny lists informed by threat intelligence feeds. They should offer resilient service with strong availability and appropriate failover systems. Organisations should have service level agreements in place.
This is practical, specific guidance. It is not vague hand-waving. The NCSC is essentially saying: we built this for ourselves because it works. You should get it too. Here is how to evaluate providers.
The problem is awareness. In my experience, most UK small businesses have never heard of protective DNS. They have not read the NCSC guidance. They do not know it exists. They are running their networks through whatever resolver their ISP assigned, and they have never questioned whether that provides any security benefit. It usually does not.
Why This Matters More Than Most People Think
On this week’s podcast, we discussed how DNS problems are frequently misdiagnosed. But there is a more fundamental point that gets lost in the troubleshooting conversation.
Without protective DNS, your staff can reach any domain on the internet. Including the ones specifically built to steal their credentials, deliver malware, or establish command and control channels on compromised devices.
Phishing remains the dominant attack vector. The DSIT Cyber Security Breaches Survey 2025 found that 85% of affected businesses identified phishing as the cause of their breach. A significant proportion of phishing attacks rely on users clicking links that resolve to attacker-controlled domains. Protective DNS can block those resolutions before the page loads.
This is not a silver bullet. A sophisticated attacker using a freshly registered domain that has not yet been added to deny lists will bypass protective DNS. But the vast majority of phishing infrastructure uses known malicious domains that have been identified and catalogued. Protective DNS catches the volume attacks, which are the ones most likely to hit a small business.
The Cost Argument That Falls Apart
One reason small businesses do not implement protective DNS is the assumption that it costs significant money. That assumption is wrong.
At the free tier, Quad9’s 9.9.9.9 provides security filtering that blocks known malicious domains. It is a Swiss non-profit backed by the Global Cyber Alliance, IBM, and Packet Clearing House. It is free, it supports encrypted DNS, and it is operationally reliable.
Cloudflare’s filtered variants, 1.1.1.2 for malware blocking and 1.1.1.3 for malware plus adult content filtering, are also free. Cloudflare’s business model is based on selling CDN and security services, not advertising. Their DNS privacy commitments are independently audited.
Commercial protective DNS services with logging, reporting, and policy management start at modest per-user costs. For a business of five to fifty employees, the total is typically less than the monthly tea and coffee budget.
The barrier is not cost. The barrier is that nobody has told most small businesses this option exists.
The Logging Benefit
A secondary benefit of protective DNS that deserves more attention is logging.
The NCSC’s guidance specifically highlights that DNS logs, when combined with other security information, support effective incident investigation. If a device on your network attempts to reach a known malicious domain, a protective DNS service will block the query and log it. That log entry tells you something valuable: you have a device that may be compromised.
Without DNS logging, that same device reaches the malicious domain successfully, downloads malware, and establishes communication with attacker infrastructure. Nobody notices because nobody is watching DNS traffic. The first sign of trouble is weeks or months later, when the damage is done.
For small businesses with limited security budgets, DNS logs may be the most cost-effective source of security intelligence available. The NCSC’s Logging Made Easy project provides an open-source starting point for organisations that want basic security logging without enterprise tools.
Remote Workers and the Resolver Problem
This is the angle that most guidance misses, and it is critical for modern small businesses.
When staff work from the office, their devices use whatever DNS resolver the office network provides. If you have configured that to use a protective DNS service, they are covered.
When staff work from home, a coffee shop, a client site, or a hotel, their devices use whatever DNS resolver that network provides. Hotel wifi in particular is notorious for captive portals and questionable network configurations. Home broadband uses the ISP’s default resolver, which typically provides no security filtering.
A roaming DNS client, sometimes called a DNS agent, ensures that a device uses your chosen protective DNS resolver regardless of which network it connects to. Several commercial PDNS providers offer this capability. For businesses with remote or hybrid workers, it closes a gap that most have not even identified.
How to Turn This Into a Competitive Advantage
Demonstrating DNS-layer security in your procurement responses and security documentation separates you from competitors who have never heard of protective DNS.
If you hold Cyber Essentials certification, adding protective DNS strengthens your security posture beyond the minimum requirements. It shows prospective clients that you take network security seriously beyond the compliance checkbox.
For businesses in regulated sectors, healthcare, legal, financial services, DNS logging provides evidence of security monitoring that auditors and regulators expect. Being able to show blocked malicious domain queries in your logs is tangible proof that your security controls are working.
How to Sell This to Your Board
The government built this for itself because it works. The NCSC spent public money developing, deploying, and maintaining Protective DNS for government networks. They then published guidance telling the private sector to do the same. When the government’s own cyber security agency builds something and then recommends everyone else adopt it, that is a strong signal.
The cost of not having it is measurable. The DSIT survey reports a mean average cost per business of £10,000 for those who quantified breach losses. Protective DNS is available free or at minimal cost. The return on investment calculation is straightforward.
It protects against the most common attack vector. Phishing accounts for 85% of breaches in the DSIT survey. Protective DNS blocks a significant proportion of phishing infrastructure before users ever reach it. It is not the only control you need, but it is one of the most cost-effective.
What This Means for Your Business
-
Read the NCSC’s private sector PDNS guidance. It is published at ncsc.gov.uk and it is written for non-specialists. If you have not read it, start there. It tells you exactly what to look for in a provider.
-
Implement protective DNS on your office network. At minimum, switch your router to use Quad9 9.9.9.9 or Cloudflare 1.1.1.2. This takes minutes and costs nothing. Document the change.
-
Consider a commercial PDNS provider. If you want logging, reporting, and policy controls, evaluate commercial options. The NCSC guidance provides evaluation criteria.
-
Deploy roaming DNS protection for remote workers. If staff work outside the office, their DNS queries are unprotected unless you extend your DNS policy to their devices. Evaluate roaming client options from your chosen provider.
-
Start monitoring DNS logs. Even basic visibility into blocked queries gives you intelligence about threats targeting your network. The NCSC’s Logging Made Easy is a free starting point.