The 2025 State of Security
Uncover new ways to power smarter, resilient SOCs. Get the report, strengthen your security.
DNS Security: Today’s Most Common DNS Risks and Threats
Domain Name System (DNS) is a critical Internet service. DNS simplifies the process of finding Internet resources by resolving user-friendly domain names, such as splunk.com, into machine-readable IP addresses like 192.168.1.1.
Many sophisticated cyberattacks rely on DNS activities. Let’s review the risks DNS services face and what organizations can do to guard against DNS attacks. We’ll cover the following critical DNS security topics:
- DNS security issues
- DNS attack vectors and common DNS attacks
- DNS security solutions
DNS security issues: Vulnerabilities, threats, and risks
DNS security issues come in three categories: vulnerabilities, threats, and risks.
DNS vulnerabilities
Vulnerabilities are flaws and weaknesses in DNS systems that can be exploited by attackers. DNS vulnerabilities include misconfigurations, outdated software, failure to apply recent security patches, and susceptibility to attacks from other sources. DNS attacks stem from these vulnerabilities. The more vulnerabilities you have, the higher your risk.
DNS vulnerabilities include:
- Incorrect DNS records: Typos in DNS records and altered records that misdirect traffic
- Non-resolvable domains: Incorrectly configured hosts or default settings
- Old, outdated, or unsupported software and hardware
- Open DNS resolvers that can be exploited for DoS attacks
- Weak security settings: Improperly configured Access Control Lists (ACLs), not applying security patches, and other misconfigurations
DNS threats
Threats are human and automated attackers that exploit vulnerabilities in your DNS systems. We’ll examine common DNS attacks in the next section.
DNS risks
Risks are the potential losses and damage that occur when DNS attacks happen, including:
- Disrupting DNS server and network functionality
- Intercepting traffic to gain unauthorized access to resources for stealing personnel, organization, and financial information
- Enabling other cyberattacks, including data exfiltration, ransomware, and Denial of Service (DoS) attacks
- Affecting domain name resolution to enable phishing attacks and redirect users to malicious websites
It’s estimated that 90% of business organizations suffer DNS attacks each year, and the average organization faces 7.5 DNS attacks annually. Each attack can incur significant financial costs — estimated at $1.1 million per attack or more — and may lead to other attacks as shown above.
DNS attack vectors and common DNS attacks
Attack vectors are methods used by cybercriminals to target DNS systems. Some common DNS threats and attack vectors include:
DNS Threat | Threat Description | Attack Vectors |
DNS Tunneling | Cybercriminals encode non-DNS data, such as executable commands, into a DNS query. The hidden code may issue malicious commands to the server to enable unauthorized access and data extraction to third-party servers. | Malware infection: Attacker infects organizational devices with malware, which establishes a tunneling connection between the DNS resolver server and the attacker. |
DNS records are manipulated, allowing threat actors to route traffic from a legitimate website to a malicious one. | Man-in-the-Middle (MTM) attack: Attacker inserts themselves between a Web browser and the DNS server. The attacker then alters the information in the user’s cache (poisons cached DNS results) and on the DNS server to redirect requests to a malicious location. | |
DNS Hijacking | Attackers manipulate how DNS queries are resolved so that users are redirected to malicious websites. DNS hijacking is frequently used for pharming and phishing attacks. | Client or infrastructure attack: Hackers install malware on user PCs, seize control of routers, or hack DNS connections to conduct attacks. |
DNS Denial of Service (DoS) | Attacker bots send numerous requests through a DNS resolver, which then transmits amplified responses to the targeted DNS server, disrupting the service for legitimate users. Denial-of-service (DoS) attacks flood a server using a single device, making a website or resource unavailable. Distributed denial-of-service (DDoS) attacks use multiple devices to overwhelm the targeted resource. Attackers frequently combine ransomware with DDoS attacks, demanding a ransom to stop the attack or to prevent further disruption if their demands are not met. | DNS flood attacks: Infecting and using high-bandwidth Internet of Things (IoT) devices (video, industrial devices, virtual reality, etc.) to overwhelm DNS servers with numerous requests. DNS amplification attacks: Infecting and using use devices with smaller bandwidth connections to send many small requests for very large DNS records, Attackers designate the return address of the requests to be the intended victim, allowing the attacker to disrupt DNS services using fewer attacking devices. |
DNS Fast Flux | Cyberattackers utilize fast flux techniques to evade detection and prevent search services and organizations from denylisting (blacklisting) malicious IP addresses. Fast fluxing techniques rapidly associate a single malicious domain name with numerous, frequently changing IP addresses (sometimes thousands of IPs) that obscure the true origin of malicious content. | DNS amplification attacks: Sets of botnet servers or compromised host servers are used as proxy servers to route Web traffic to the original malicious Web server. Proxy IP addresses: Proxy IPs assigned to botnets or compromised servers obscure communication between the end-user and the original server hosting malicious content. |
Strategies for DNS security
Security strategies to protect DNS processes from manipulation, interception, redirection, and disruption include:
Tighten DNS server and administrator security
Implement strong server security practices, including role-based access, the principle of least privilege, and granular access to DNS resources and data. Organizations can implement strong passwords and user verification techniques, including multi-factor authentication, for DNS server access.
Regularly monitor and audit DNS servers
Regular monitoring of DNS logs can help detect unusual traffic patterns. Monitoring can also be performed in conjunction with Security and Information Event Management (SIEM) software for an enterprise-wide monitoring solution.
Regularly patch DNS server systems
Keep up to date with security patches.
Use a DNS firewall
Global Cyber Alliance research found that DNS firewalls can prevent more than 33% of cybersecurity breaches. Cloud and hardware-based firewalls are available from several vendors.
Employ DNS encryption
DNS requests are usually transmitted in plain text, which can be easily intercepted and modified. DNS encryption protects DNS queries and responses from outside interference. Encryption techniques include DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt.
Implement DNS filtering
Solutions like Cisco Umbrella can help block access to known malicious domains and IP addresses.
Secure DNS resolvers
Use DNSSEC (Domain Name System Security Extensions) to prevent hijacking, cache poisoning, and other threats. DNSSEC protocols help verify the authenticity and integrity of DNS data.
Incorporate threat intelligence into DNS security
Utilize threat intelligence feeds to ensure that lists of malicious servers are continuously updated.
Proactively segmenting the network and managing bandwidth
Network segmentation and dynamic management can reduce impact exposure in the event of a DDoS attack.
Use CDNs or load balancers to decentralize DNS processing
Configure and use a load balancer or content delivery network (CDN) to decentralize DNS processing:
- Load balancers automatically distribute network traffic across a cluster of DNS servers, lessening the effects of a DDoS attack.
- CDNs spread DNS services across a wide geographic area — where each CDN server hosts the same application DNS data — decreasing DNS response time and ensuring that an attack only effects DNS services in that CDN segment.
Consider using advanced AI-enabled Intrusion Detection and Prevention systems
Intrusion detection systems (IDS) monitor network traffic for anomalous behavior such as cyberattacks. IDS systems can alert administrators when an attack occurs or it can issue an automation control to an integrated SIEM monitoring tool such as Splunk Enterprise Security.
Provide endpoint protection against malware
Ensure that all DNS-connected devices use advanced protection solutions that can detect and block malware.
Related resources
See an error or have a suggestion? Please let us know by emailing splunkblogs@cisco.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
Related Articles
About Splunk
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
Connect with Splunk on Instagram
Follow @Splunk
