Q4 2025 DNS and DDoS pressure is testing digital trust

At a glance

What this is: This is a Q4 2025 resilience briefing showing that DNS, DDoS, and application-layer pressure are converging into sustained endurance testing rather than short disruption events.

Why it matters: It matters to IAM practitioners because availability, session integrity, and trust signals increasingly depend on shared infrastructure that can be stressed across layers, including systems that support identity, access, and application control.

By the numbers:

• DNS traffic closed December at 4.75 trillion authoritative queries, up roughly 10% from October.
• DDoS attacks targeting DNS surged from fewer than 20 monthly events earlier in the quarter to 176 attacks in December.
• 2.02 Tbps

👉 Read DigiCert’s Q4 2025 RADAR Brief on DNS, DDoS, and application resilience

Context

Digital trust depends on infrastructure behaving consistently under pressure. In this case, the core issue is not whether DNS, DDoS mitigation, or web application controls exist, but whether they can sustain service when demand, abuse, and operational fatigue rise at the same time.

The Q4 pattern shows a broader governance problem for identity and access programmes: resilience is no longer just a network or application concern. When shared services are degraded, authentication flows, privileged administration, and application trust chains all become harder to assure.

Key questions

Q: How should security teams prepare for sustained DNS and DDoS pressure?

A: Teams should plan for prolonged pressure, not just peak traffic. That means testing mitigation capacity, escalation paths, provider coordination, and staffing assumptions under multi-day conditions. DNS, application, and identity dependencies should be reviewed together so degraded availability does not quietly become degraded trust.

Q: Why do DNS outages create wider trust problems for identity programmes?

A: Because DNS sits underneath certificate validation, service discovery, and many authentication flows. When it is degraded, users may still reach some services while access assurance becomes inconsistent. That makes DNS a trust dependency, not just an availability dependency, for IAM and application security teams.

Q: What should practitioners measure to tell whether resilience is actually improving?

A: Measure time to mitigation, time to stable service, and the amount of pressure the environment can absorb before access or application trust degrades. Also track whether DNS anomalies, session failures, and escalation delays line up during stress events, because that reveals hidden coupling.

Q: Who is accountable when sustained infrastructure attacks disrupt access and availability?

A: Accountability should sit across network operations, security, application owners, and any provider that supports DNS or mitigation services. The important point is that resilience failures are usually shared failures, so the governance model has to name who owns detection, containment, communication, and recovery.

Technical breakdown

DNS pressure as an availability control problem

DNS is not just a lookup service. It is a dependency for application routing, certificate validation, API resolution, and user access flows, which makes it a high-impact trust layer when demand and abuse rise together. The brief shows both heavier query volume and more NXDOMAIN responses, a pattern that often appears when automated systems probe names, enumerate services, or generate speculative lookups. That does not mean DNS failed. It means the control surface is being stressed by legitimate traffic and hostile traffic at the same time, which reduces margin for error.

Practical implication: separate DNS observability from general network monitoring so you can see when legitimate load is masking abuse.

DDoS endurance is replacing short-burst disruption

The article’s key change is persistence. Attackers moved from contained bursts to long-running campaigns, with the longest event lasting more than eight days and the largest attack reaching terabit scale. That shifts DDoS from a capacity spike problem to an operational stamina problem. Defenders are no longer only testing whether they can absorb a single peak. They are testing whether mitigation, escalation, staffing, and upstream coordination can hold steady under prolonged pressure.

Practical implication: test mitigation playbooks for sustained events, not just initial surge handling.

Application-layer abuse is narrowing onto high-value trust paths

UltraWAF telemetry shows that while total malicious volume declined in December, automated abuse persisted and cookie manipulation remained a major technique. That points to a shift toward session handling, authentication logic, and state integrity rather than broad noisy scanning. In practice, this is where resilience and identity meet: if attackers can disrupt or manipulate session state, the user experience may remain up while trust conditions degrade underneath it.

Practical implication: review session and authentication controls together, because application abuse often targets the handoff between them.

NHI Mgmt Group analysis

Availability pressure is now an identity governance issue, not only an infrastructure issue. When DNS, DDoS, and application state are stressed together, access assurance becomes harder to maintain because the systems that prove trust are themselves degraded. That widens the gap between policy intent and operational reality. Security leaders need to treat resilience as part of access governance, not a separate operational concern.

The useful concept here is identity blast radius under shared-service strain. DNS and application dependencies create indirect failure paths that IAM teams often do not model explicitly. A service may remain technically online while authentication, session validation, or admin workflows become unreliable, which expands the blast radius of an otherwise non-identity event. Practitioners should map where availability failures become trust failures before incident conditions expose the gap.

Attackers increasingly exploit endurance, not just volume. Sustained campaigns are designed to exhaust defenders, throttle response windows, and create compounding operational risk across layers. That changes the control question from “can we block the peak?” to “can we remain trustworthy across an extended pressure window?” The implication is that resilience planning must include identity, application, and infrastructure dependencies in one model.

Cross-layer pressure validates integrated resilience planning across NHI, IAM, and application controls. The article shows how DNS, network, and web layers reinforce each other during attack activity. For identity teams, that means access workflows, privileged administration paths, and application dependencies should be tested against degraded conditions, not ideal ones. The practitioners who will cope best are the ones who already model failure across shared trust services.

From our research:

• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%), according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For a broader view of how NHI governance maturity is evolving, see Ultimate Guide to NHIs , 2025 Outlook and Predictions.

What this signals

Identity programmes should now treat resilience metrics as governance signals. When DNS and DDoS pressure rises together, the question is not only whether services stay up, but whether authentication, certificate, and session controls remain trustworthy while infrastructure is degraded. That is where operational resilience and identity governance start to overlap in practice. With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, weak dependency mapping remains the hidden failure mode.

The next planning step is to map where shared services can turn a performance event into an identity event. That includes DNS, access gateways, certificate validation, and any privileged workflows that depend on third-party infrastructure or external resolution paths.

A useful named concept here is identity blast radius under shared-service strain: the point where degraded infrastructure starts to impair access assurance, not just uptime. Teams that can model that blast radius will be better positioned to keep control when attack activity becomes sustained.

For practitioners

• Map identity dependencies on shared infrastructure Document which authentication, certificate, DNS, and admin workflows depend on the same resolution and availability layers so you can see where a single disruption cascades across access paths.
• Test endurance-focused mitigation playbooks Run exercises that assume multi-hour or multi-day pressure, then check whether alert fatigue, staffing, escalation, and provider coordination still hold up after the first mitigation wave.
• Review session integrity under degraded conditions Validate that cookie handling, session state, and re-authentication logic still work when DNS or upstream availability is unstable, because those failures often surface together.
• Separate DNS abuse signals from legitimate growth Track query growth, NXDOMAIN spikes, and attack volume independently so seasonal traffic increases do not hide automated probing or coordinated denial activity.

Key takeaways

• Q4 2025 shows that resilience is being tested across DNS, DDoS, and application layers at the same time, which makes availability a governance issue as much as an operations issue.
• The scale changed materially, with December DNS traffic reaching 4.75 trillion authoritative queries and DDoS activity rising to 176 attacks, including a 2.02 Tbps event.
• Practitioners should model how degraded infrastructure affects authentication, session integrity, and privileged access, because those are the controls most likely to fail indirectly first.

Key terms

• DNS resilience: DNS resilience is the ability of name resolution to keep working accurately and consistently under load, attack, or partial failure. For identity and access teams, it matters because DNS supports service discovery, certificate validation, and many authentication-adjacent workflows that degrade when resolution becomes unreliable.
• DDoS endurance campaign: A DDoS endurance campaign is a sustained denial-of-service effort designed to keep defenders under pressure for hours or days, not just trigger a short outage. The goal is often to exhaust capacity, response time, and operational attention rather than simply overload a single control point.
• Identity blast radius: Identity blast radius is the amount of access, trust, and operational impact that can be affected when a shared service fails or is attacked. It is a useful way to describe how non-identity events, such as DNS degradation, can still disrupt authentication, session integrity, and privileged workflows.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: Q4 2025 RADAR: Resilience Is Being Tested at Every Level. Read the original.