DNS Security: An Overlooked Layer of Cyber Defence
The Domain Name System is one of the most fundamental — and most exploited — internet protocols. Every web request, email delivery, and cloud application connection begins with a DNS lookup. This makes DNS both a critical dependency and a powerful security control point. Research shows that over 90% of malware uses DNS at some stage of its operation, whether for initial payload delivery, command-and-control communication, or data exfiltration.
Why DNS Is a Security Blind Spot
Many organisations treat DNS as pure infrastructure — something that needs to work reliably but does not require security attention. This creates a significant blind spot. Attackers exploit DNS in several ways:
- Malicious domain resolution: Phishing sites, malware download servers, and credential harvesting pages all rely on DNS to direct victims to attacker-controlled infrastructure.
- Command and control: Malware on compromised systems uses DNS to communicate with attacker infrastructure, receiving instructions and exfiltrating data. DNS-based C2 is particularly difficult to detect because DNS traffic is expected and rarely inspected.
- DNS tunnelling: Attackers encode data within DNS queries and responses to exfiltrate information through a protocol that most firewalls allow without inspection. DNS tunnelling can extract data at rates sufficient to exfiltrate sensitive databases.
- Domain generation algorithms: Advanced malware generates thousands of pseudo-random domain names, using DNS to find the one domain currently registered by the attacker. This makes traditional domain blocking ineffective.
DNS Security Controls
DNS filtering: Block resolution of known malicious, phishing, and newly registered domains. Cloud-based DNS filtering services maintain constantly updated threat intelligence databases and can block millions of malicious domains. This is one of the simplest and most cost-effective security controls available.
DNS monitoring and analytics: Analyse DNS query patterns to detect anomalies — unusual query volumes, queries to newly registered domains, DNS tunnelling patterns, or communication with domains associated with known threat actors. DNS analytics provides a detection layer that is independent of endpoint and network security tools.
DNSSEC: DNS Security Extensions authenticate DNS responses, preventing DNS spoofing and cache poisoning attacks that redirect users to malicious sites. While DNSSEC adoption has been slow, it provides an important integrity layer for organisations that implement it.
Encrypted DNS: DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries, preventing eavesdropping on which domains users visit. For corporate environments, this must be balanced against the need for DNS visibility — encrypted DNS to corporate DNS servers provides privacy from external observers while maintaining internal monitoring capability.
Implementation and ROI
DNS filtering services are among the most affordable security controls, typically costing $1-$4 per user per month. For an organisation of 500 users, that is $6,000-$24,000 annually. Against the phishing, malware, and data exfiltration risks that DNS filtering mitigates, the ROI is exceptionally strong. Many organisations report blocking thousands of malicious DNS requests per day — each representing a potential security incident that was prevented at the earliest possible stage.
DNS filtering also reduces the burden on downstream security controls. By preventing connections to malicious infrastructure at the DNS layer, fewer threats reach endpoints, email gateways, and web proxies, improving the effectiveness of the entire security stack.