Most IT and security leaders assume their DNS servers are locked down, but recent research shows that a surprising number of domains remain dangerously exposed. The culprit is a legitimate feature, DNS dynamic updates, that becomes a liability when configured without security.

What Are Dynamic Updates?

Dynamic DNS updates, defined in RFC 2136, allow systems like DHCP servers or Active Directory clients to automatically register and update their DNS records. It is a useful mechanism, but one that must be tightly controlled. When updates are accepted without authentication, anyone can alter DNS records for that zone. This creates the conditions for “zone poisoning,” where attackers silently hijack traffic.

The Scale of the Problem

In 2024, researchers scanned more than 350 million domains and found hundreds of thousands that accepted unauthenticated DNS updates. Thousands of nameservers were vulnerable. Attackers could redirect mail, reroute web traffic, or insert malicious infrastructure into trusted zones. The study demonstrated multiple attack classes, including hijacking of entire subdomains.

Even after large-scale remediation efforts by CSIRTs, the data shows that many organizations still misconfigure their DNS or leave legacy servers exposed.

Why It Matters

If an attacker can poison your DNS zone, they do not need to exploit browsers or break into mail servers. They can simply wait for legitimate users to resolve names that now point to hostile systems. This undermines trust in your brand, compromises email security, and creates entry points for credential theft and malware distribution.

Fixing the Exposure

The short-term fixes are clear:

  • Configure zones to reject nonsecure updates (allow-update { none; }; in BIND, “Secure only” in Windows DNS).

  • Require TSIG or GSS-TSIG authentication for authorized updates.

  • Audit DHCP and client settings to ensure they only perform secure dynamic updates.

But the reality is harder. Misconfigurations persist, legacy servers remain, and every gap is an opportunity for exploitation.

How ThreatSTOP Helps

This is where ThreatSTOP comes in. Our DNS Defense Cloud service provides proactive protection at the recursive layer. Even if an attacker manages to poison a zone and redirect traffic, ThreatSTOP cuts off access to malicious destinations before they can cause damage. That means:

  • Your employees and systems cannot be silently redirected to attacker-controlled hosts.

  • Hijacked MX or A records pointing to hostile IPs are automatically blocked.

  • Protection is continuously updated from thousands of curated intelligence feeds, both third-party and those generated by the ThreatSTOP Security, Intelligence, and Research team.

Running your DNS through ThreatSTOP eliminates dependence on perfect server-side configuration discipline. Instead, you gain assurance that query-level protection is always active.

Take Control of DNS Risk

The research is clear. DNS dynamic updates are too powerful to leave unsecured. While patching and configuration hardening are essential, the only way to ensure attackers cannot exploit poisoned zones is to enforce protection at the resolver level.

With ThreatSTOP, you gain more than visibility. You gain proactive, enforceable control over DNS traffic that keeps your users and networks safe.

Request a demo today to see how ThreatSTOP can protect your organization from DNS hijacking, zone poisoning, and other emerging threats.