DNS is the part of the internet's infrastructure that almost everyone uses constantly and almost no one thinks about. Every time a user navigates to a website, sends an email, or connects to a cloud service, a DNS query is made. That ubiquity is exactly what makes it such an attractive target for attackers, and why securing the DNS layer deserves considerably more attention than it typically receives.
DNS Was Not Designed With Security in Mind
The original DNS specification was published in 1983 by Paul Mockapetris, built for reliability and scalability across a relatively trusted academic and government network. Security was not a design priority. Queries are sent in plaintext over UDP by default, there is no built-in mechanism for a resolver to verify that a response actually came from an authoritative source, and the caching behaviour that makes DNS efficient also creates opportunities for manipulation.
These are not obscure edge cases. They are structural properties of the protocol that attackers have exploited consistently for decades. DNSSEC was introduced to address authentication concerns by adding cryptographic signatures to DNS records, but deployment remains sparse. As of 2024, only around 5% of .com domain names were signed with DNSSEC, leaving the vast majority of DNS traffic without integrity guarantees. Even among domains that attempt to enable DNSSEC, completion rates are low, with many failing to fully configure the necessary registry records.
The Threat Landscape at the DNS Layer
Understanding why DNS security matters starts with understanding what attacks against DNS actually look like in practice.
DNS spoofing and cache poisoning involve injecting fraudulent DNS records into a resolver's cache, causing users to be directed to attacker-controlled infrastructure even when they type a legitimate domain. Because the redirect happens at the resolution layer, the user sees what appears to be a normal URL, including a valid HTTPS padlock if the attacker has obtained a certificate for the spoofed domain.
DNS tunnelling encodes arbitrary data within DNS query and response packets to exfiltrate data or maintain command-and-control channels. Because DNS traffic is broadly trusted and often passes uninspected through firewalls, tunnelling can persist undetected for extended periods. Research shows that over 70% of organisations have reported DNS-based incidents, and tunnelling is consistently among the most common causes of compromise. Many organisations that block other exfiltration vectors leave DNS completely uninspected.
DNS hijacking redirects queries by compromising the DNS settings of a router, endpoint, or registrar account, rerouting all DNS lookups for a device or domain through an attacker-controlled resolver. This technique appears in targeted attacks against both enterprise networks and home infrastructure.
Domain Generation Algorithms (DGAs) are used by malware to generate large numbers of pseudo-random domain names that the malware periodically queries. The attacker registers a small subset of these as command-and-control servers. Because the domains change constantly, static blocklists are ineffective and detection requires behavioural analysis at the DNS layer itself.
DNS as a Detection and Enforcement Point
Beyond the threats that specifically target DNS, the protocol also provides a valuable visibility layer for detecting malware and policy violations that manifest elsewhere.
When an infected host calls home to a command-and-control server, it almost always generates a DNS query first. When a user navigates to a phishing page, a DNS query precedes the connection. When ransomware attempts to reach infrastructure associated with a known threat group, that activity also appears in DNS logs before any payload is delivered.
Monitoring and filtering at the DNS layer can therefore catch threats upstream, before a TCP connection is established, before a payload is downloaded, and before credentials are submitted. Blocking a malicious domain at resolution is fundamentally less risky than blocking it at the network edge after a connection has already begun.
For network administrators and security teams, this makes DNS logs one of the most information-dense telemetry sources available. Query behaviour, including volume, frequency, entropy of domain names, and the age of domains being resolved, can surface anomalies that other tools miss entirely.
What Effective DNS Security Looks Like
A strong DNS security posture combines several layers. At the protocol level, DNSSEC validation at the resolver ensures responses carry a verifiable cryptographic signature from the authoritative source. DNS over HTTPS (DoH) and DNS over TLS (DoT) protect query confidentiality from eavesdropping in transit, which is particularly relevant for remote workers and mobile devices operating outside a controlled network perimeter.
At the filtering and enforcement layer, DNS resolvers can block queries to known malicious domains, newly registered domains associated with phishing campaigns, DGA-generated hostnames, and domains used for tunnelling. This protective DNS capability is the core function of dedicated DNS Security Software. Platforms like Heimdal's, which layer threat intelligence and behavioural analysis directly into the resolution process, make DNS a genuinely active part of the security stack rather than passive infrastructure sitting beneath it.
An Overlooked Layer Worth Prioritising
For organisations that have invested in endpoint protection, email security, and network monitoring, DNS is often the gap. It is traffic that flows constantly, touches every part of the infrastructure, and has historically received little scrutiny beyond uptime and performance.
The case for DNS security is not theoretical. Attacks that use DNS as either a target or a transport are well-documented, actively exploited, and largely invisible to organisations that are not watching. Treating DNS as a security control point rather than just a resolution service closes a visibility gap that attackers have been quietly exploiting for years.
Featured Image generated by ChatGPT.
Share this post
Author
Leave a comment
All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.
Comments (0)
No comment