DNS and DDoS endurance pressure: what IAM teams should notice

TL;DR: DNS traffic closed December at 4.75 trillion authoritative queries, DDoS attacks jumped to 176 in the month, and the largest event reached 2.02 Tbps, according to DigiCert’s Q4 2025 RADAR Brief. Availability planning now has to assume endurance under coordinated abuse, not just peak-volume mitigation, highlighting how sustained multi-layer pressure is now testing resilience across infrastructure and applications.

NHIMG editorial — based on content published by DigiCert: Q4 2025 RADAR: Resilience Is Being Tested at Every Level

By the numbers:

• DNS traffic closed December at 4.75 trillion authoritative queries, up roughly 10% from October.
• DDoS attacks targeting DNS surged from fewer than 20 monthly events earlier in the quarter to 176 attacks in December.

Questions worth separating out

Q: How should security teams prepare for sustained DNS and DDoS pressure?

A: Teams should plan for prolonged pressure, not just peak traffic.

Q: Why do DNS outages create wider trust problems for identity programmes?

A: Because DNS sits underneath certificate validation, service discovery, and many authentication flows.

Q: What should practitioners measure to tell whether resilience is actually improving?

A: Measure time to mitigation, time to stable service, and the amount of pressure the environment can absorb before access or application trust degrades.

Practitioner guidance

• Map identity dependencies on shared infrastructure Document which authentication, certificate, DNS, and admin workflows depend on the same resolution and availability layers so you can see where a single disruption cascades across access paths.
• Test endurance-focused mitigation playbooks Run exercises that assume multi-hour or multi-day pressure, then check whether alert fatigue, staffing, escalation, and provider coordination still hold up after the first mitigation wave.
• Review session integrity under degraded conditions Validate that cookie handling, session state, and re-authentication logic still work when DNS or upstream availability is unstable, because those failures often surface together.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Month-by-month DNS telemetry and attack pattern charts across the full quarter
• Breakdowns of targeted flood behaviour versus carpet-bombing activity
• UltraWAF signal detail on cookie manipulation and bot activity
• Industry targeting patterns for travel and financial services

👉 Read DigiCert’s Q4 2025 RADAR Brief on DNS, DDoS, and application resilience →

DNS and DDoS endurance pressure: what IAM teams should notice?

Explore further

View Full Forum →  |  NHI Foundation Course →