Protective DNS services in academic and research networks suffer from disorganized blocklists—characterized by inconsistent naming conventions, opaque targeting criteria, untraceable sources, and insufficient oversight—hindering their efficacy and accountability. Method: Leveraging hundreds of millions of real-world DNS query logs from educational institutions and integrating multiple public threat-domain feeds, this study conducts the first large-scale, passive measurement–based empirical comparison of DNS blocklist performance. Contribution/Results: We find that the absence of standardized blocklist specifications leads to high false-positive rates, poor inter-list coordination, and degraded service reliability. Blocklists exhibit low coverage overlap and substantial semantic ambiguity, severely undermining security policy interpretability and auditability. To address these challenges, we propose a governance framework for DNS blocklists tailored to academic networks, offering empirically grounded recommendations and technical pathways for standardization and regulatory practice.

We perform a passive measurement study investigating how a Protective DNS service might perform in a Research & Education Network serving hundreds of member institutions. Utilizing freely-available DNS blocklists consisting of domain names deemed to be threats, we test hundreds of millions of users' real DNS queries, observed over a week's time, to find which answers would be blocked because they involve domain names that are potential threats. We find the blocklists disorderly regarding their names, goals, transparency, and provenance making them quite difficult to compare. Consequently, these Protective DNS underpinnings lack organized oversight, presenting challenges and risks in operation at scale.