DNS attacks expose the governance gap in internet trust layers

At a glance

What this is: This is a catalogue of 16 DNS attack patterns and their operational impact, with the key finding that DNS weaknesses can redirect trust, expose data, and take services offline.

Why it matters: It matters because identity, secrets, and access workflows often rely on DNS as an unseen control layer, so IAM and security teams need to treat DNS integrity as part of broader trust governance.

By the numbers:

• DNS amplification attacks can increase traffic by factors of 30-50x or more.
• Attackers attempt access within an average of 17 minutes when AWS credentials are exposed publicly.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

👉 Read DigiCert's breakdown of 16 DNS attack patterns and how they work

Context

DNS is the resolution layer that turns names into routable destinations, which makes it a hidden dependency for nearly every identity-backed digital service. When attackers manipulate that layer, they are not just disrupting connectivity. They are interfering with the trust path that users, workloads, and agents rely on before authentication or authorisation even begins.

For IAM and NHI programmes, the practical issue is not whether DNS is a network problem or an identity problem. It is both. If resolution can be poisoned, hijacked, or redirected, then token exchange, certificate validation, and access to secret-backed services can all be led into attacker-controlled infrastructure. That is why DNS controls belong in the same governance conversation as workload identity, secrets handling, and access policy.

The article’s taxonomy is typical of modern DNS threat analysis: it groups disruption, redirection, covert channel abuse, and infrastructure takeover into one operational model. That makes it useful for practitioners who need to map attack patterns to control owners rather than treat DNS as an isolated edge service.

Key questions

Q: What breaks when DNS records are not governed like identity dependencies?

A: When DNS records are left outside identity governance, attackers can redirect users, hijack subdomains, or poison resolution in ways that bypass normal access controls. The result is not just network instability. It is credential exposure, trust substitution, and hidden paths into services that assume the name being resolved is already trustworthy.

Q: Why do DNS attacks matter to NHI and secrets management teams?

A: DNS attacks matter because many machine identities, secret-backed services, and authentication flows depend on reaching the correct destination. If resolution is manipulated, tokens and API keys can be sent to attacker-controlled infrastructure, and even secure authentication can be undermined by a bad trust path before login completes.

Q: How can security teams tell DNS abuse from normal traffic growth?

A: Look for behavioural anomalies rather than volume alone. Repeated lookups for unique subdomains, unusual record types, suspiciously small or large payloads, sudden TTL shifts, and rapid changes in resolved IPs are stronger indicators of tunneling, DGA activity, or fast-flux infrastructure than simple traffic increases.

Q: How should organisations respond when DNS becomes part of the attack chain?

A: They should treat DNS events as containment issues, not only availability issues. That means isolating affected resolvers, reviewing record integrity, checking for dangling subdomains, and correlating DNS logs with access and endpoint data so the team can see whether the attack also exposed credentials or enabled lateral movement.

Technical breakdown

DNS amplification and reflection turn small queries into large floods

DNS amplification works because the protocol allows a small request to trigger a much larger response, especially when open resolvers answer crafted queries. Reflection adds spoofed source addresses so the response lands on the victim, not the sender. The mechanics matter because the DNS infrastructure itself may not be compromised, yet it still becomes the delivery vehicle for the attack. This is a protocol-level abuse of trust and scale, not a malware problem. Rate limiting, resolver hardening, and anti-spoofing controls reduce exposure, but the key architectural lesson is that shared infrastructure can be weaponised at the protocol layer.

Practical implication: restrict open resolvers and enforce anti-spoofing controls on every DNS path you own.

DNS hijacking, spoofing, and cache poisoning redirect trust

Hijacking and spoofing manipulate the answer to a name lookup so users reach an attacker-controlled destination. Cache poisoning goes one step deeper by inserting forged answers into a resolver cache, which then serves the wrong address until expiry or purge. The identity impact is direct: users may enter credentials, tokens, or payment data into convincing lookalike sites while believing they are on legitimate services. In operational terms, this is a trust-substitution attack. The control problem is not only detection. It is also validation, record integrity, and monitoring for resolver or registrar change events that alter destination control.

Practical implication: monitor DNS record integrity and resolver changes as identity-risk events, not just network events.

DNS tunneling and rebinding create covert paths around security boundaries

DNS tunneling hides data inside query and response fields so compromised systems can exfiltrate information or maintain command-and-control while appearing to use normal DNS traffic. DNS rebinding exploits browser trust by making a domain resolve first to an attacker host and then to an internal address, enabling script-driven access across internal boundaries. Both techniques exploit the fact that DNS is often trusted and lightly inspected. For security teams, the architectural issue is not only blocking malicious domains. It is understanding that DNS can become a transport layer for data movement and a bridge into internal services when policy assumes name resolution is benign.

Practical implication: inspect DNS for abnormal payloads, unusual record types, and unexpected internal reachability from browser-originated sessions.

Threat narrative

Attacker objective: The attacker wants to control how names resolve so they can steal data, redirect users, hide command traffic, or deny access to critical services.

1. Entry occurs through compromised or abused DNS infrastructure, including open resolvers, dangling subdomains, forged responses, or malicious domains that users are induced to visit.
2. Escalation happens when the attacker redirects traffic, poisons caches, or tunnels data through DNS so credentials, commands, or resolution requests move through attacker-controlled paths.
3. Impact follows as service availability degrades, victims reach phishing pages or malware sites, and sensitive data or internal access paths are exposed.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

DNS is not just infrastructure. It is a trust control that identity programmes already depend on. When a name can be redirected, poisoned, or tunneled, the trust chain that precedes authentication is already under attack. That means DNS governance belongs in IAM, NHI, and secrets management conversations, not only in network operations. Practitioners should treat resolution integrity as part of access assurance.

Identity teams should recognise DNS hijacking as a credential exposure amplifier. A user or workload that reaches the wrong destination can disclose tokens, certificates, and API keys even when the authentication stack itself is unchanged. That creates a governance gap between access design and destination assurance. The implication is that identity controls cannot assume the endpoint reached is the endpoint intended.

Subdomain takeover is a lifecycle failure, not a naming problem. Dangling DNS records exist because ownership, offboarding, and external dependency cleanup were never closed out. That is the same lifecycle pattern seen in NHI governance failures, where assets outlive the team, vendor, or service that created them. Practitioners should manage DNS records with the same discipline used for non-human identity lifecycle.

DNS tunneling shows how covert channels emerge when traffic classification stops at the protocol label. DNS may look legitimate while carrying exfiltration or command traffic inside its payload structure. This is why security teams need policy, inspection, and anomaly detection that understand the purpose of the traffic, not just the port number. The practical conclusion is simple: visibility into DNS behaviour is a control requirement, not an optional enhancement.

Fast-flux and DGA patterns show that adversaries increasingly treat DNS as infrastructure for persistence. Rapid domain rotation and frequent IP changes make takedowns slower and blocklists less reliable. That pattern should push practitioners toward adaptive monitoring and registrar-level oversight, because static control assumptions age badly in a dynamic name-resolution environment. The field needs DNS governance that can follow the attacker’s pace.

From our research:

• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to the 2026 Infrastructure Identity Survey.
• Another finding from the same survey shows that only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For teams thinking beyond DNS alone, the NHI Lifecycle Management Guide is the next step for tightening ownership, offboarding, and rotation discipline across machine identities.

What this signals

DNS integrity will increasingly behave like an identity control, not a perimeter control. As more access paths depend on machine identity, certificate validation, and secret-backed services, a compromised resolution layer can undermine trust before IAM even evaluates a request. Teams should expect DNS review to become part of privileged access, workload identity, and service onboarding governance.

Subdomain takeover is a lifecycle failure mode with identity consequences. The cleanup problem looks like a DNS hygiene issue until an abandoned record becomes a live entry point for phishing or malicious hosting. This is the same governance blind spot that appears when service ownership, offboarding, and access reviews are separated from operational reality.

With least-privileged AI access producing a 17% incident rate versus 76% for over-privileged systems, per the 2026 Infrastructure Identity Survey, the broader lesson is that trust boundaries only hold when access scope and destination control are both governed.

For practitioners

• Inventory every externally reachable resolver and authoritative zone Map which teams own each resolver, which records support production services, and which third-party dependencies can create dangling subdomain risk. Tie the inventory to ownership and offboarding so abandoned DNS records are removed before they become takeover paths.
• Treat DNS change events as identity-risk signals Alert on registrar updates, unexpected TTL changes, resolver policy changes, and record additions that redirect authentication or secret-dependent services. Review those events with the same urgency you would apply to a privileged access change.
• Inspect DNS for covert-channel behaviour Look for unusual query volume, abnormal payload sizes, suspicious record types, and repeated requests to newly generated domains. Correlate those patterns with endpoint and workload telemetry so tunneling or DGA traffic is not missed in isolation.
• Harden resolver policy against spoofing and reflection Disable or restrict open resolvers, enforce source validation, and apply rate limiting to high-volume DNS paths. These controls reduce the ability of attackers to amplify traffic or abuse your infrastructure as part of a reflection attack.
• Align DNS governance with lifecycle cleanup Require the same offboarding discipline for DNS records, delegated subdomains, and service endpoints that you use for NHIs. If a service is retired, its DNS footprint should be removed, not left to linger as inherited attack surface.

Key takeaways

• DNS attacks exploit trust in name resolution, so the security impact reaches identity, secrets, and availability at once.
• Attackers use amplification, hijacking, tunneling, rebinding, and subdomain takeover to turn DNS into a delivery layer for fraud, exfiltration, and disruption.
• Practitioners need DNS governance that includes ownership, lifecycle cleanup, resolver hardening, and behavioural monitoring, not just network uptime metrics.

Key terms

• DNS Hijacking: DNS hijacking is the redirection of name resolution so a user or workload reaches an attacker-controlled destination instead of the intended service. In practice, it can happen through compromised DNS records, router settings, or malicious changes to resolution infrastructure.
• DNS Tunneling: DNS tunneling is the use of DNS queries and responses to carry hidden data for command-and-control or exfiltration. Because DNS is commonly trusted and lightly inspected, attackers can hide malicious communication inside traffic that looks routine at first glance.
• Subdomain Hijacking: Subdomain hijacking occurs when an attacker takes control of a legitimate subdomain, often through a dangling DNS record that points to an abandoned third-party service. The result is trusted branding attached to attacker-owned infrastructure, which can be used for phishing or malicious hosting.
• Fast-Flux DNS: Fast-flux DNS is a technique that rapidly rotates the IP addresses or hosting infrastructure behind a domain to make blocking and takedown more difficult. It is commonly used to prolong the life of phishing, botnet, and malware distribution infrastructure.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or access governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: 16 DNS attacks you should know about managed DNS. Read the original.