TL;DR: Misconfigured DNS can trigger outages, traffic hijacking, cache poisoning, and data exposure, with the 2023 Global DNS Threat Report citing 90% of organisations experiencing DNS-based attacks and an average cost of $1.1 million per incident. DNS mistakes are not just infrastructure hygiene issues; they create identity-adjacent trust failures that IAM, security, and operations teams must govern together.
NHIMG editorial — based on content published by DigiCert: The hidden cost of misconfigured DNS
By the numbers:
- 90% of organizations experienced DNS-based attacks, and the average cost per incident was $1.1 million.
- Network misconfigurations cost businesses an average of 9% of their annual revenue.
Questions worth separating out
Q: How should security teams govern DNS records that support authentication and service access?
A: Security teams should treat DNS records as part of the trust chain, not just routing metadata.
Q: Why do DNS misconfigurations increase the risk of hijacking and data exposure?
A: DNS misconfigurations matter because they determine where users and systems are sent.
Q: What should organisations check when trying to prevent subdomain takeover?
A: Organisations should look for orphaned records, dangling CNAMEs, stale forwarding entries, and references to decommissioned platforms.
Practitioner guidance
- Inventory DNS records as security assets Map public and internal zones, then classify records by business criticality, authentication dependency, and exposure to takeover or redirection.
- Separate DNS authority from general admin access Keep registrar and DNS provider credentials distinct from broader infrastructure accounts, and limit edit rights to a small, reviewed set of operators with MFA enforced.
- Validate DNSSEC and resolver paths where trust matters Check that validation is active across recursive resolvers and that critical domains use consistent DNSSEC deployment, especially for login flows and workload discovery.
What's in the full article
DigiCert's full article covers the operational detail this post intentionally leaves for the source:
- The specific DNS record types and configuration checks that help prevent accidental redirection or takeover
- Step-by-step examples of how open resolvers, DNSSEC gaps, and forwarding mistakes become attack paths
- Practical guidance on auditing stale records, dangling CNAMEs, and abandoned subdomains at scale
- Provider-side features such as monitoring, failover, and DNSSEC support that reduce exposure
👉 Read DigiCert's analysis of the hidden cost of misconfigured DNS →
DNS misconfiguration and the governance gap for identity teams?
Explore further
DNS misconfiguration is a trust-boundary failure, not a simple availability problem. The article shows that one incorrect record can redirect traffic, expose internal names, or break service access across internal and external networks. That makes DNS a governance issue for IAM, NHI, and certificate teams because the name resolution layer shapes how identity-bearing services are found and trusted. Practitioners should treat DNS changes as security events with identity impact.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, including 38% with no or low visibility and 47% with only partial visibility.
A question worth separating out:
Q: Who is accountable when DNS failures cause outages or traffic hijacking?
A: Accountability should sit with the teams that own DNS change control, registrar governance, and the services that depend on those records. In practice, that usually means shared responsibility between infrastructure, IAM, and security operations. If DNS underpins authentication or workload access, it should also be included in access reviews and incident readiness plans.
👉 Read our full editorial: Misconfigured DNS creates availability and hijack risk for identity systems