Why DNS threats should be on every CISO’s radar in 2025

DNS is once again in the crosshairs of threat actors. According to the 2025 DNS Threat Landscape Report by Infoblox, attackers are changing tactics, and enterprises are feeling the pressure.

The report shows that DNS is being used to exfiltrate data, bypass defenses, and deliver malware. Attacks are also becoming harder to detect. More threat actors are using trusted protocols like HTTPS and DNS over HTTPS (DoH) to hide their tracks.

This shift matters to enterprises because DNS is one of the few protocols that must remain open to function. That makes it a tempting entry point. Most networks depend on it, but few monitor it closely.

“This year’s findings highlight the many ways in which threat actors are taking advantage of DNS to operate their campaigns, both in terms of registering large volumes of domain names and also leveraging DNS misconfigurations to hijack existing domains and impersonate major brands,” said Dr. Renée Burton, head of Infoblox Threat Intel.

DNS is becoming a stealth weapon

The report points out that while the overall number of DNS attacks is growing, the techniques are evolving. Attackers are focusing on stealth and persistence. DNS tunneling, for example, is now more common than brute-force or flood-based attacks. This technique lets attackers send small amounts of data over DNS queries. It is often invisible to traditional firewalls and antivirus tools.

Encryption adds complexity to defense

Another trend is the misuse of DoH. While DoH was designed to increase privacy by encrypting DNS requests, it can also be used to hide malicious traffic. The report highlights that enterprises without visibility into encrypted DNS are at risk of missing early signs of compromise.

Phishing and malware distribution over DNS are also rising. These attacks often use domain generation algorithms (DGAs), which create large numbers of fake domain names. This makes it harder to block malicious domains using standard threat intelligence feeds. It also increases the load on security teams, which must now analyze more traffic and alerts.

Why the DNS threat landscape 2025 demands action

For CISOs, the implications are hard to ignore. DNS must be treated as a security data source, as it can provide early indicators of compromise.

The report recommends building DNS-layer defenses that go beyond blocking known bad domains. This includes detecting anomalies in query patterns, rate-limiting unusual traffic, and inspecting encrypted DNS requests. Enterprises should also consider using threat intelligence that includes DNS-specific indicators.

Closing the gaps between teams

Another point the report makes is the need for coordination between network and security teams. DNS is often managed by IT, while security teams may not have visibility into its traffic. Breaking down these silos is key to improving detection and response.

The report also suggests that enterprises review their use of DoH. While DoH can improve user privacy, it also reduces visibility unless it is managed centrally. Enterprises should consider controlling which DoH resolvers are allowed and logging all DNS activity.

One of the most important takeaways from the report is that DNS security is a business risk. Attacks that use DNS can lead to data loss, downtime, and reputational damage. They can also serve as stepping stones to more serious intrusions.