Common DNS Security Threats to Address

In August 2025, researchers tracked a 220% surge in subdomain takeovers, many linked to cookie misconfigurations that bypassed MFA outright. IBM’s latest breach report shows the average cost of these incidents now exceeds $4.88M per breach. (bakerdonelson) Meanwhile, 82% of security leaders admit their teams lack full visibility into exposed assets. (bedrockdata) AI bots now scan billions of DNS records every day. A forgotten configuration instantly turns into live attack infrastructure. Over-scoped cookies allow hijacked subdomains to inherit valid authentication tokens, bypassing MFA without a single exploit. Attackers operate at infinite scale, while defenders rely on exhausted humans. CISOs need to close the gaps: • Audit dormant subdomains and DNS records • Reduce cookie scopes to the absolute minimum • Reframe board-level discussions around neglected assets instead of just novel threats. Attackers thrive on what you overlook, not on what’s undiscovered. How is your team closing exposures before AI attackers turn them into their next foothold? Check https://malanta.ai for more insights.

🚀 Master DNS and DHCP Penetration Testing: A Comprehensive Guide for Cybersecurity Professionals 🚀DNS and DHCP are foundational components of any network infrastructure but are often targeted by attackers due to inherent vulnerabilities. The DNS and DHCP Penetration Testing Guide is your go-to resource for understanding, testing, and securing these critical services. 🔍 Key Highlights from the Guide: Understanding DNS and DHCP 1️⃣ DNS (Domain Name System): • Translates domain names into IP addresses to facilitate internet navigation. • Common vulnerabilities: DNS Spoofing, Cache Poisoning, DDoS attacks. 2️⃣ DHCP (Dynamic Host Configuration Protocol): • Automates IP address allocation and network configurations. • Common vulnerabilities: Rogue DHCP servers, DHCP starvation attacks. Testing Methodologies • Pre-Engagement Activities: Define scope, objectives, and permissions to ensure legal and effective testing. • DNS Reconnaissance: Use techniques like zone transfers, DNS brute-forcing, and reverse DNS lookups to gather intelligence. • DHCP Discovery: Identify active DHCP servers with tools like dhcpcd. Exploitation Techniques 1️⃣ DNS Attacks: • DNS Spoofing: Redirect users to malicious sites with forged DNS responses. • Cache Poisoning: Inject false records into DNS caches to mislead users. 2️⃣ DHCP Attacks: • Rogue DHCP Server: Distribute malicious configurations to intercept traffic. • DHCP Starvation: Exhaust IP address pools using spoofed MAC addresses. Practical Tools • DNS Tools: nslookup, dig, and dnscat for enumeration and data tunneling. • DHCP Tools: DHCPig and Yersinia for conducting starvation and spoofing attacks. Mitigation Strategies • DNS Security: • Implement DNSSEC to verify the authenticity of DNS responses. • Regularly audit DNS configurations and restrict zone transfers. • DHCP Security: • Enable DHCP Snooping to block unauthorized servers. • Use static IP assignment for critical devices to reduce attack surfaces. 💡 Why It Matters: Understanding the vulnerabilities and mitigation strategies for DNS and DHCP is essential for ensuring network resilience. This guide provides actionable insights for security professionals to identify risks, conduct assessments, and implement robust defenses. 🔗 Get Started Today: Enhance your penetration testing skills and secure your network infrastructure against evolving threats. 🛡️ Let’s Collaborate: What are your go-to tools and techniques for testing DNS and DHCP? Share your thoughts and experiences in the comments below! #CyberSecurity #PenetrationTesting #DNS #DHCP #InfoSec #NetworkSecurity #ThreatHunting #VulnerabilityManagement #DigitalSecurity #RedTeam #TechCommunity 🚀

🧑💻 SOC Interview Questions: DNS Traffic Monitoring 🔍 DNS traffic is a goldmine for detecting cyber threats. Interviewers often test your expertise on DNS-based attacks. 💡 Q1: You notice an unusual spike in DNS queries from a single endpoint. How would you investigate it? 💡 Q2: What tools and techniques would you use to analyze suspicious DNS traffic? 💡 Q3: How do attackers use DNS tunneling for data exfiltration, and how would you detect it? 💡 Q4: If you detect DNS-based malware activity, what are your next steps in incident response? 💡 Q5: How can security teams prevent DNS abuse and improve DNS security? 💡 Q6: Why is monitoring DNS traffic important in a SOC environment? 🚨 How I Detected a Cyber Threat Using DNS Traffic Monitoring! As a SOC Analyst, one of my key responsibilities is to monitor DNS traffic for potential threats. Recently, I came across an unusual spike in DNS queries that led to an exciting (and alarming) discovery. 🔍 What Happened? 👉 While reviewing DNS logs, I noticed a single endpoint making thousands of random domain requests in a short period. 👉 The domains seemed suspicious—auto-generated, rarely visited, and not linked to any known business activity. 👉 I cross-checked them with Threat Intelligence feeds, and boom! They matched a known malware C2 infrastructure. 🛠 My Investigation Process 1️⃣ Identified the Affected Endpoint Pulled logs from our SIEM (Microsoft Sentinel) to see which device was making these requests. Found an internal workstation querying these domains at an abnormal rate. 2️⃣ Analyzed the Domains Used OSINT tools like VirusTotal, Hybrid Analysis, and PassiveTotal to check the reputation of these domains. Many were flagged as malicious and linked to a Domain Generation Algorithm (DGA) used by malware. 3️⃣ Confirmed the Threat Checked network logs for unusual outbound traffic. Found data exfiltration attempts hidden inside DNS queries—a classic DNS tunneling attack! 4️⃣ Incident Response & Mitigation ✅ Isolated the infected endpoint to prevent further damage. ✅ Blocked the malicious domains at the DNS level using our firewall and security controls. ✅ Conducted forensic analysis, finding the root cause was a phishing email that delivered the malware. ✅ Educated users about recognizing phishing threats to prevent future incidents. 🚀 Key Takeaways 🔹 DNS is a powerful security signal—attackers exploit it for C2, exfiltration, and phishing. 🔹 Anomalous DNS traffic can be an early indicator of malware infections. 🔹 Combining SIEM, OSINT, and endpoint analysis helps confirm and mitigate threats efficiently. 🔹 User awareness is crucial! This attack started from a phishing email—reinforcing why security training matters. #CyberSecurity #SOC #ThreatHunting #DNSMonitoring #IncidentResponse #SIEM #Phishing #MalwareAnalysis #DFIR #ThreatIntelligence #SOCAnalyst #InfoSec #CyberThreats #SecurityOperations #SIEMDetection #SecurityAwareness #BlueTeam #CyberAttack #SecurityMonitoring

I wanted to share some insights on a crucial topic for anyone working with SIEM tools: 𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐧𝐠 𝐃𝐍𝐒 𝐭𝐮𝐧𝐧𝐞𝐥𝐢𝐧𝐠 𝐚𝐭𝐭𝐞𝐦𝐩𝐭𝐬. This is something we all need to be vigilant about to keep our networks secure. Here are some key conditions to set up in your SIEM tool: >> 𝐔𝐧𝐮𝐬𝐮𝐚𝐥𝐥𝐲 𝐋𝐨𝐧𝐠 𝐃𝐍𝐒 𝐐𝐮𝐞𝐫𝐢𝐞𝐬: DNS tunneling often involves long domain names. Set a rule to flag DNS queries that exceed a typical length (e.g., more than 64 characters). >> 𝐇𝐢𝐠𝐡 𝐕𝐨𝐥𝐮𝐦𝐞 𝐨𝐟 𝐃𝐍𝐒 𝐑𝐞𝐪𝐮𝐞𝐬𝐭𝐬: Keep an eye out for an unusually high number of DNS requests from a single source within a short time frame. This can be a red flag for data exfiltration attempts. >> 𝐔𝐧𝐜𝐨𝐦𝐦𝐨𝐧 𝐃𝐍𝐒 𝐑𝐞𝐜𝐨𝐫𝐝 𝐓𝐲𝐩𝐞𝐬: DNS tunneling can use uncommon DNS record types like TXT, NULL, or CNAME. Remember, legitimate applications can also use these types of records, so make sure to whitelist/exclude those apps. >> 𝐅𝐫𝐞𝐪𝐮𝐞𝐧𝐭 𝐃𝐍𝐒 𝐑𝐞𝐪𝐮𝐞𝐬𝐭𝐬 𝐭𝐨 𝐔𝐧𝐮𝐬𝐮𝐚𝐥 𝐃𝐨𝐦𝐚𝐢𝐧𝐬: Look for DNS requests to domains that are not commonly accessed by your network. This can include newly registered domains or domains with low reputation scores. Integrating threat intel platforms can help filter out these domains, or you can create a separate use case for this. >> 𝐌𝐢𝐬𝐦𝐚𝐭𝐜𝐡 𝐢𝐧 𝐃𝐍𝐒 𝐐𝐮𝐞𝐫𝐲 𝐚𝐧𝐝 𝐑𝐞𝐬𝐩𝐨𝐧𝐬𝐞 𝐒𝐢𝐳𝐞𝐬: Set conditions to detect significant mismatches between the sizes of DNS queries and their responses, which can indicate tunneling activity. For example, in your network, normal DNS queries typically have a size of around 50-100 bytes, and the corresponding responses are usually within 100-200 bytes. However, during a DNS tunneling attempt, you might observe the response size (500 bytes) is much larger than the query size (70 bytes). Be cautious with these conditions as they can trigger a lot of false positives. Fine-tuning and continuous monitoring are key. Feel free to share your thoughts—I’d love to hear them! #Cybersecurity #DNSTunneling #ThreatDetection #IncidentResponse #SOC

👺 The recent Microsoft 365 #DirectSendAbuse phishing campaigns are a perfect example of how understanding email & DNS security has fallen by the wayside by many... It's just one of many vectors to bypass email security... 📧 From a #RedTeaming perspective, other common vulnerabilities beyond Direct Send that can be abused in social engineering engagements include SMTP smuggling, leveraging unauthenticated SMTP relays, using SPF break vulnerabilities with overly permissive SPF records that permit office WAN IPs or untrusted sources, and performing DNS poisoning on devices sending email via authenticated SMTP. 🛡️ All of those are reasons why security teams need to pay close attention to their SPF, DKIM, and DMARC configurations as well as implement DNSSEC, MTA-STS, and DANE. For those who might not be familiar, DNSSEC protects against DNS spoofing and cache poisoning attacks, ensuring that domain name requests are authenticated and tamper-proof. Without DNSSEC, attackers can manipulate DNS responses to redirect users to malicious websites or hijack email communications. MTA-STS enforces email encryption in transit, preventing downgrade attacks where attackers force email servers to communicate over unencrypted connections. DANE ensures the authenticity of TLS certificates used in email encryption, protecting against man-in-the-middle (MITM) attacks and rogue certificate authorities issuing fraudulent certificates. Both MTA-STS and DANE work in conjunction with DNSSEC, so you'll need DNSSEC set up first before moving on to the other two. Below are helpful configuration guides for folks; extra kudos to anyone who implements DNS cookies as well, haha. 📰 News: - https://lnkd.in/gpMwiQxx - https://lnkd.in/gAMU8utB 📚 Guides: - Disable Direct Send in Office 365 - https://lnkd.in/gDvqHeRM - Using Authenticated SMTP with Multi-function Printer Mailboxes - https://lnkd.in/grxDa9M2 - Configuring DKIM in Exchange Online & Defender for Office 365 - https://lnkd.in/gWAfFUFZ - How DNSSEC Works - https://lnkd.in/gMw4i2t4 - Configuring MTA-STS in Exchange Online & Defender for Office 365 - https://lnkd.in/gmmpYvPs - Configuring DANE in Exchange Online & Defender for Office 365 - https://lnkd.in/gZXfB3Tj

After more than a decade, NIST has finally updated its DNS security guidance, and it’s a wake-up call for organizations still treating DNS as “just infrastructure.” The new SP 800-81r3 reframes DNS as something far more powerful: a frontline security control. Here’s what stands out: ▪️ DNS is now a security enforcement layer - Protective DNS isn’t optional anymore. It can block malicious domains, filter risky traffic, and provide critical logs for incident response. When integrated with SIEM, it becomes a high-value detection signal—not just a resolver. ▪️ Hybrid DNS is the smart play - NIST leans toward combining cloud-based protective DNS with on-prem fallback. Why? Because resilience matters. If one layer fails, protection shouldn’t disappear with it. ▪️ Encrypted DNS shifts control points - With DoH, DoT, and DoQ, visibility moves. The DNS server becomes the control tower for both enforcement and detection. But there’s a catch: unmanaged encrypted DNS can bypass your controls entirely if you’re not careful. ▪️ DNSSEC is evolving - Modern cryptographic standards are in. ECDSA and EdDSA are preferred over RSA due to efficiency. Shorter signature validity windows are recommended to reduce risk exposure. ▪️ Small misconfigurations = big risks - Dangling CNAMEs. Lame delegations. Forgotten domains. These are not edge cases—they’re common attack paths. DNS hygiene is now a security priority, not an ops afterthought. ▪️ Architecture still matters - Separate recursive and authoritative DNS. Distribute servers geographically. Use hidden primaries. These aren’t new ideas—but they’re still widely ignored. DNS touches nearly every connection your organization makes. That alone should make it one of your most secured assets. If your DNS strategy hasn’t been revisited in years, now is the time. Because attackers already know that DNS is one of the easiest places to hide, and one of the most powerful places to defend. #cybersecurity #DNS #NIST #SecurityGuidance https://lnkd.in/gu8jU6_H

We all love our firewall logs, Windows event logs, and antivirus alerts. But some of the most critical indicators come from logs that too often get ignored or underutilized — especially in smaller SOC setups. Today, I want to share 5 log sources that changed how I see threats: 1. DNS Logs Why they matter: They reveal C2 communication, domain generation algorithms (DGAs), and suspicious lookups before payload execution. Use case: Detect beaconing to strange subdomains or rapid queries to newly registered domains. 2. Proxy/Web Filter Logs Why they matter: They uncover where the user actually went — not just what they clicked. Especially powerful for malware callbacks and phishing follow-throughs. Use case: Spot users accessing malicious URLs after clicking email links. 3. Endpoint Command-Line Logging (Sysmon, EDR) Why they matter: Most attackers operate through command-line and PowerShell. Default logs won’t show it — but enabling command-line auditing paints a clear picture. Use case: Detect encoded PowerShell or suspicious use of LOLBins. 4. Authentication Logs from Cloud Services (O365, Okta, etc.) Why they matter: Identity is the new perimeter. MFA fatigue, impossible travel, login anomalies — it’s all there. Use case: Find brute-force attempts that bypass local defenses through the cloud. 5. Audit Logs from Internal Applications Why they matter: Insider threats and privilege misuse often hide here — not in OS-level logs. Use case: Monitor abnormal activity like mass downloads, record deletions, or permission changes. SIEM Tip: Most SIEMs aren’t “missing” these logs — they’re just not ingested or correlated properly. Talk to your engineering team. You might already have gold you’re not seeing. What’s your favorite underrated log source? #CyberSecurity #SIEM #SOCAnalyst #DetectionEngineering #LogSources #BlueTeam #ThreatDetection #Wazuh #ElasticSIEM #MicrosoftDefender #Sysmon #DNS #Okta

𝗜𝘀 𝗬𝗼𝘂𝗿 𝗢𝗿𝗴𝗮𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻 𝗥𝗲𝗮𝗱𝘆 𝗳𝗼𝗿 𝗗𝗡𝗦 𝗔𝘁𝘁𝗮𝗰𝗸𝘀 𝗶𝗻 𝟮𝟬𝟮𝟱?   𝗗𝗶𝗱 𝘆𝗼𝘂 𝗸𝗻𝗼𝘄? DNS attacks are a growing threat, and if your 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝘀 𝗖𝗲𝗻𝘁𝗲𝗿 (𝗦𝗢𝗖) isn’t prepared, you could face major service disruptions, data theft, and compromised systems.  Let's dive into the 𝘁𝗼𝗽 𝗗𝗡𝗦 𝗮𝘁𝘁𝗮𝗰𝗸𝘀 that every cybersecurity leader should know about! 🔴 𝗗𝗡𝗦 𝗦𝗽𝗼𝗼𝗳𝗶𝗻𝗴/𝗖𝗮𝗰𝗵𝗲 𝗣𝗼𝗶𝘀𝗼𝗻𝗶𝗻𝗴 Impact: Phishing, data theft. Defense: DNSSEC, clear caches, and secure your DNS servers. 🔴 𝗗𝗡𝗦 𝗔𝗺𝗽𝗹𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗔𝘁𝘁𝗮𝗰𝗸 Impact: Service outages (DDoS). Defense: Rate limiting and restrict open resolvers. 🔴 𝗗𝗡𝗦 𝗧𝘂𝗻𝗻𝗲𝗹𝗶𝗻𝗴: Impact: Malware control, data exfiltration. Defense: Packet inspection and traffic monitoring. 🔴 𝗗𝗡𝗦 𝗛𝗶𝗷𝗮𝗰𝗸𝗶𝗻𝗴: Impact: Traffic interception, data theft. Defense: DNSSEC, strong authentication, and secure settings. 🔴 𝗡𝗫𝗗𝗢𝗠𝗔𝗜𝗡 𝗔𝘁𝘁𝗮𝗰𝗸: Impact: Service unavailability. Defense: Rate limiting and DNS traffic monitoring. 🔴 𝗣𝗵𝗮𝗻𝘁𝗼𝗺 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝘁𝘁𝗮𝗰𝗸: Impact: Performance degradation. Defense: Block suspicious domains and monitor DNS traffic. 🔴 𝗗𝗡𝗦 𝗥𝗲𝗳𝗹𝗲𝗰𝘁𝗶𝗼𝗻 𝗔𝘁𝘁𝗮𝗰𝗸: Impact: DDoS, service unavailability. Defense: Restrict resolvers, implement rate limiting. 🔴 𝗗𝗼𝗺𝗮𝗶𝗻 𝗟𝗼𝗰𝗸𝗶𝗻𝗴: Impact: Loss of domain control. Defense: Registry lock and multi-factor authentication. 🔴 𝗧𝘆𝗽𝗼𝘀𝗾𝘂𝗮𝘁𝘁𝗶𝗻𝗴/𝗨𝗥𝗟 𝗛𝗶𝗷𝗮𝗰𝗸𝗶𝗻𝗴:  Impact: Phishing, malware. Defense: Register similar domains and use typo detection tools. 🔴 𝗗𝗡𝗦 𝗙𝗹𝗼𝗼𝗱 𝗔𝘁𝘁𝗮𝗰𝗸: Impact: Downtime or degraded performance. Defense: Rate limiting and scalable infrastructure. These DNS attacks are not just theoretical they can cause major disruptions if left unchecked. Your 𝗦𝗢𝗖 must have the 𝗿𝗶𝗴𝗵𝘁 𝗱𝗲𝗳𝗲𝗻𝘀𝗲𝘀 in place to keep these threats at bay. Your DNS security strategy must be a priority in 2025. 🔁 𝗦𝗵𝗮𝗿𝗲 𝘁𝗼 𝗿𝗮𝗶𝘀𝗲 𝗮𝘄𝗮𝗿𝗲𝗻𝗲𝘀𝘀 𝗼𝗳 𝗗𝗡𝗦 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗿𝗶𝘀𝗸𝘀! ➡️ Follow Marcel Velica for more cybersecurity insights!

*** KeyTrap Attack *** Improving the security of modern societies is the goal of ATHENE-Center. Therefore, we do not only publish our research in top scientific conferences, but also focus on research which has an immediate impact, research which prevents attacks and ensures security. Discovering vulnerabilities and closing them, before the hackers exploit them, is an important part of our mission to secure the Internet.  In 2023, Elias Heftrig, Niklas Vogel, Michael Waidner and I found severe and fundamental flaws in the #DNSSEC standard, which can be exploited to attack the Domain Name System #DNS. For instance, some popular DNS resolvers can be stalled for 16 hours with just a single DNS packet. The vulnerability is at least 25 years old and we found that it has been in the wild at least since 2000. We demonstrated the attacks to the vendors and worked with them to develop effective patches. The flaws in the DNSSEC standard have implications for ALL standard supporting DNS resolvers and are challenging to resolve, as is also evident from the number of patches-iterations we had with the developers. Further, patched DNS resolvers necessarily break the standard requirements, or else are vulnerable to CPU exhaustion attacks.  A brief explanation of the flaws in the DNSSEC standard and our KeyTrap attacks that exploit them can be found in the @RIPE Blog here: https://lnkd.in/d2e-3b8k   The technical report describing our research can be found here: https://lnkd.in/dgYDZzD6 We would like to use this opportunity to thank the many vendors for their support and collaboration during the last months.

NEW: The attack called “Sitting Ducks” is easy to perform, difficult to detect, almost totally unrecognized, but totally preventable. And millions of domains are exploitable targets. To hijack domains, attackers exploit incorrect configurations at DNS providers without accessing the real owner’s account, and without registering a domain themselves. The attack is different from other domain control techniques as registrar access is not required and all the attackers need is lame delegation. (Lame delegations often occur when DNS servers are incorrectly configured, expired, or otherwise fail to respond to DNS queries for a specific domain.) The Sitting Duck attack requires a few conditions. First, a registered domain delegates DNS services to a different provider than the domain registrar. Then, the delegation has to be lame, this term describes that the DNS server does not have information about the website and cannot resolve its address. Lastly, the DNS provider itself needs to be “exploitable” and allow attackers to “claim” the domains and set up new DNS records without accessing the real owner’s account. https://lnkd.in/gENHwixh #auguryit #cybersec