DNS misconfiguration and the governance gap for identity teams

TL;DR: Misconfigured DNS can trigger outages, traffic hijacking, cache poisoning, and data exposure, with the 2023 Global DNS Threat Report citing 90% of organisations experiencing DNS-based attacks and an average cost of $1.1 million per incident. DNS mistakes are not just infrastructure hygiene issues; they create identity-adjacent trust failures that IAM, security, and operations teams must govern together.

NHIMG editorial — based on content published by DigiCert: The hidden cost of misconfigured DNS

By the numbers:

• 90% of organizations experienced DNS-based attacks, and the average cost per incident was $1.1 million.
• Network misconfigurations cost businesses an average of 9% of their annual revenue.

Questions worth separating out

Q: How should security teams govern DNS records that support authentication and service access?

A: Security teams should treat DNS records as part of the trust chain, not just routing metadata.

Q: Why do DNS misconfigurations increase the risk of hijacking and data exposure?

A: DNS misconfigurations matter because they determine where users and systems are sent.

Q: What should organisations check when trying to prevent subdomain takeover?

A: Organisations should look for orphaned records, dangling CNAMEs, stale forwarding entries, and references to decommissioned platforms.

Practitioner guidance

• Inventory DNS records as security assets Map public and internal zones, then classify records by business criticality, authentication dependency, and exposure to takeover or redirection.
• Separate DNS authority from general admin access Keep registrar and DNS provider credentials distinct from broader infrastructure accounts, and limit edit rights to a small, reviewed set of operators with MFA enforced.
• Validate DNSSEC and resolver paths where trust matters Check that validation is active across recursive resolvers and that critical domains use consistent DNSSEC deployment, especially for login flows and workload discovery.

What's in the full article

DigiCert's full article covers the operational detail this post intentionally leaves for the source:

• The specific DNS record types and configuration checks that help prevent accidental redirection or takeover
• Step-by-step examples of how open resolvers, DNSSEC gaps, and forwarding mistakes become attack paths
• Practical guidance on auditing stale records, dangling CNAMEs, and abandoned subdomains at scale
• Provider-side features such as monitoring, failover, and DNSSEC support that reduce exposure

👉 Read DigiCert's analysis of the hidden cost of misconfigured DNS →

DNS misconfiguration and the governance gap for identity teams?

Explore further

View Full Forum →  |  NHI Foundation Course →