Skip to content
Palisai
All articles
Compliance1 January 20263 min read

5 signs your DNS infrastructure isn't ready for NIS2

By Jens Arnfelt

Most organisations only notice their DNS when something goes wrong — a website that disappears, or emails that land in spam. With NIS2's risk-management requirement, reacting is no longer enough; you have to be able to show that you have the risks under control in advance. Here are five concrete signs that your DNS infrastructure is not ready.

1. You don't have DNSSEC enabled

Without DNSSEC, your DNS answers can in principle be forged without the user noticing. It is a well-known, documented risk, and the absence of signing is often the first thing a technical assessment trips over. How DNSSEC works. Quick check: look up your domain and see whether DNSKEY and DS records exist.

2. Your email lacks SPF, DKIM or DMARC — or DMARC is on p=none

SPF, DKIM and DMARC decide whether others can abuse your domain for phishing. If they're missing, the door is open. And if you have DMARC but it's set to p=none, you're only monitoring — you're not enforcing. Many organisations sit on p=none for years. Check your setup with the DMARC analyzer.

3. You don't monitor changes to your DNS

A change to a single record — a redirected MX, a new A record — can be the start of an attack or a mistake with large consequences. If no one is alerted when your DNS changes, you're missing a basic detection capability that risk management assumes.

4. You have single points of failure

If all your DNS sits with one name server or one provider, you're exposed to that single failure. The recommendation is at least two name servers, ideally spread across more than one provider or location, so a single fault doesn't take you offline. A lack of redundancy is hard to defend in a NIS2 context.

5. You don't know who can change your DNS

DNS is the keys to your domain. If you can't answer who has access to change records — and whether those accounts have two-factor and get cleaned up when people change roles — you're missing access control at a critical place. The management accountability in NIS2 makes exactly these questions relevant to senior leadership, not just IT.

How to move forward

None of these points requires a big project to get started. Begin by getting an overview:

If several of the five signs sound familiar, that's not a sign that everything is wrong — but that there are some concrete, manageable improvements to take on.