Protective DNS Service Implementation and Support

Deployment Resources

Deployment Workflow

Deployment Overview

Onboarding to the Whole of Government Protective DNS service  can be achieved in 4 easy steps.

Protective DNS Deployment Steps

Detailed Deployment Steps

1. Identify IP Addresses

Please provide the static source IP (or NAT range for users) for each of your DNS name servers. If you are unsure of the external IP address details, open a commend prompt and type one of the following commands:

  • For Microsoft Windows systems, type: nslookup -q=TXT
  • For Linux:systems: type: dig +short txt
2. Complete Online Form

Use the information obtained above and complete the Protective DNS application Form to commence the onboarding  process. Please provide the following information when completing the application form:

  • DNS server details.
  • An email address for receiving DNS security reports (i.e. your security team).
  • Organisational contact details for coordination of maintenance and support.
3. Implementation

Once the application form has been submitted, a cyber security specialist from the Cyber Defence Centre (CDC) will in contact to you to finalise the implementation.

4. Testing

Once the onboarding has been completed, and as an ongoing activity, you can test your implementation to ensure you are protected.

Yes symbol

Congratulations, you are now protected!

No symbol

Please refer to the Supporting Resources below or contact the CDC Support Centre at for assistance.

Support Resources

News Bites

Did you know....

Protective DNS can be used to prevent resolution of malicious domain names, usually URLs, by implementing one or more blacklists so that instead of returning the correct response to a query, the DNS server returns an NXDOMAIN (name does not exist), effectively black-holing the malicious host name and/or domain name. It provides access to a curated list of suspect domains that will be blocked when accessed including; Command & Control, Distribution points, Phishing sites and Malware.

Qld Government agencies are able to slave the rpz.blacklist file (approx. 200MB) onto their own DNS servers from a CITEC DNS Server, or can simply configure CITEC as their upstream DNS provider. If you are unsure, please contact the CDC Support Centre at and your request will be assessed by a SOC Engineer.

RPZ Blacklist receives threat feeds from (38) various sources of malicious hostnames. These include CITEC-generated, licensed and open source options such as Spamhaus, Auscert, Palo Alto, OpenPhish, AlienVault, URLHaus and many more that are continually being added.

Frequently Asked Questions

Q. What are the differences between slaving the zone and using CITEC DNS?

There are some threat feeds that the Protective DNS service is unable to permit access to slave from our DNS servers due to contractual obligations. When slaving the zone you will receive access to approximately 1.5 million records. When using the WofG Protective DNS service, you will have access to approximately 6-10 million records.

Q. What happens when I visit a site listed in the Protective DNS service Blacklist?

The lookup will return a “NXDOMAIN” - Return name does not exist message.

Q. How do I test if the Protective DNS service is blocking the query?

  • Lookup the site internally and verify that you receive a NXDOMAIN.
  • Lookup the name from a non-Queensland government network (such as your mobile phone) and observe the response.

Q. Why is my site blocked?

  • Query a CITEC DNS Server for the associated TXT record (.rpz.blacklist) by typing the following command:
    • nslookup -type=TXT .rpz.blacklist
  • Search through your local copy.
  • If you are unsure please email and your request will be assessed by a SOC Engineer.

Q. How do I report false positives or add malicious domains?

Please email and your request will be assessed by a SOC Engineer.


Join a Community of Practice

The CSU hosts a Phishing and User Awareness Community of Practice (CoP) which consists of ICT professionals from Queensland government entities who meet on a regular basis to collaborate and share information, improve their cyber security skills, and actively work on advancing their general knowledge of cyber security. Please sign in to the Cyber Security Unit website and request to be added to the Phishing and User Awareness CoP.

CITEC Service Desk

Contact the CITEC Service Desk at for technical support issues relating to Protective DNS service.

Cyber Security Unit

Contact the Cyber Security Unit at should you require further information on the Protective DNS service.

Last Reviewed: 10 May 2022