DNSGovernmentSecurity

DNS: A Security Differentiator for System Integrators

At BlueCat’s first annual System Integrator Summit, companies in the Federal system integrator and partner community met to learn more about the strong value of DNS security in government customers and contracts.

Last updated: September 15, 2025

U.S. Department of Defense seal representing federal government customers in a DNS security and system integrator context

Key takeaways

At BlueCat’s first annual System Integrator Summit, Federal system integrators and partners explored the value of client-facing DNS security for government customers and contracts. The article explains that traditional perimeter-focused cyber defenses and DNS filters miss much malicious activity because recursive caches obscure traffic and prevent full attribution, whereas client-facing DNS security captures all queries and links them to specific users. Speakers, including former DOD Assistant Secretary Rear Admiral Tom Atkin, emphasized that client-facing DNS systems can help integrators differentiate their offerings and meet growing Federal security and forensic requirements.

Why is a perimeter-based DNS security system limited in Federal networks?

Perimeter-based DNS security systems are limited because most Internet traffic is resolved locally through caches on recursive servers, so a boundary filter or firewall sees only a fraction of DNS queries. The recursive layer obscures the source of DNS traffic, making it difficult to attribute activity to individual clients. As a result, perimeter controls miss much malicious activity and cannot provide the definitive user-level linkage that forensic investigators and Federal security officials increasingly require.

What advantage do client-facing DNS security systems provide for Federal forensic investigations?

Client-facing DNS security systems capture 100 percent of DNS query traffic and can attribute each query to its originating client, enabling definitive linkage between malicious activity and specific users. This capability addresses concerns raised by insider incidents (for example Snowden and Wikileaks) and supports stronger forensic investigation and accountability. For Federal agencies and investigators seeking precise user attribution, client-facing DNS therefore provides a unique and valuable investigative tool.

How can system integrators use DNS security to differentiate their offerings in Federal contracts?

System integrators can differentiate by offering client-facing DNS security as a client-level cyber defense that complements traditional perimeter approaches. Because it captures all DNS queries and provides user attribution, client-facing DNS meets growing operational requirements for innovative security solutions and stronger forensic capabilities. Presentations at the BlueCat summit, including remarks by Rear Admiral Tom Atkin, highlighted that emphasizing DNS as a core network service and security asset can help integrators win Federal business amidst increasing pressure to secure networks and data.

Cyber security is one of the few things that everyone in Washington can agree on; so a client-facing DNS security system offers an intriguing value proposition for integrators looking to differentiate their offering – an increasingly vexing problem as Federal IT contracts grow in size and scope.

Federal cyber security resources are usually concentrated on the network perimeter. For most forms of cyber defense, this approach makes sense. By preventing intrusions at the boundary, agencies can protect the valuable information that lies within. The EINSTEIN program, run by DHS as a basic security filter for all Federal networks, is a prime example of this tactic.

Yet when it comes to DNS, there is a better way. When placed on the network perimeter, DNS filters and firewalls have limited value. Since most internet traffic is resolved locally through caches on recursive servers, a perimeter-based DNS security system will only capture a fraction of malicious activity. That recursive layer also obscures the source of DNS traffic, making it difficult to link activity to a specific client.

Only client-facing DNS security systems capture 100 percent of query traffic and attribute it to its source. Since Snowden, Wikileaks, and other insiders, Federal security officials and forensic investigators are increasingly aware of the need to definitively link malicious activity to users. Client-facing DNS security systems provide this capability. For Federal system integrators, that is a key differentiator.

At the BlueCat summit, we heard from a former DOD Assistant Secretary, Rear Admiral Tom Atkin, about stronger policy for effective (and unique) forms of cyber security. With increased pressure to secure networks and data, system integrators face new operational requirements to offer innovative security solutions.

As a core network service, DNS is often overlooked as a potential security asset. In the search for new ways to bring cyber security solutions to Federal customers, system integrators should consider the role of DNS as a defender of networks.

Published in:

DNSGovernmentSecurity

Published on: November 10, 2017

BlueCat

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Unlock $120K+ in network ROI

DNS: A Security Differentiator for System Integrators

Related content

How to map your network with user-defined links in Integrity X

Automate your DDI modernization path by migrating with Micetro

Your journey to intelligent NetOps begins at Cisco Live

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)