CISA technical guidance: adding authorized sources to Protective DNS

The Cybersecurity and Infrastructure Security Agency (CISA) provided a procedural walkthrough explaining how organizations add authorized sources to a Protective DNS resolver so they can route traffic through the service and receive protection. The presenter said an authorized source is a collection of IP addresses that can access the protective resolver and that every organization needs at least one authorized source to use the service.

The guidance lays out the onboarding steps: users must have the configuration management role, navigate to the My Organization tab on the Protective DNS dashboard, open the Authorized Sources tab, and click Add New Source. The presenter detailed the required fields for a new source: type (IPv4, IPv6, or an SSC provider), numeric IP address (numerals only), a source set name for grouping sources, and an optional description of intended usage or device type. The presenter advised creating separate source sets for guest networks and security appliances.

The presenter warned that CIDR blocks are not accepted and that the service does not support bulk loading of sources to reduce the chance of incorrect configurations. Users can only add one authorized source at a time. After saving, an on-screen banner confirms creation; registration can take up to two minutes before the destination information populates and routing to Protective DNS begins. If required fields are missing or the user lacks permissions, the Add New Source button may be disabled and error help text will appear.

The instruction is technical onboarding guidance for implementers and does not record any formal actions, votes, or public deliberation.