<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><span style="font-family: Helvetica; font-size: 1em;">Zero Trust principles emphasize the importance of “never trust, always verify,” yet many deployments still grant attackers an initial advantage in the first step of every connection: DNS lookups. When DNS traffic bypasses scrutiny, identity verification, network segmentation, and encryption become ineffective, and adversaries are aware of this vulnerability.</span></p> <!--more--><h3><strong>The DNS Gap: Where Traditional Controls Fall Short</strong></h3> <ol start="1"> <li> <p><strong>Unrestricted Port 53 Becomes an On-Ramp for Attackers</strong></p> <p><a href="https://www.cisa.gov/news-events/alerts/2015/08/28/controlling-outbound-dns-access" rel="noopener" target="_blank">CISA’s long-standing guidance</a> recommends blocking all outbound UDP and TCP traffic on port 53 (and 853 for DNS-over-TLS) from anything except authorized resolvers. Using&nbsp;this approach, every query is routed through a centralized service, such as Protective DNS, effectively preventing tunneling and exfiltration attempts at the initial packet level.&nbsp;<span></span></p> </li> <li> <p><strong>Implicit Trust in Resolver Traffic</strong></p> <p>Even heavily segmented networks often allow DNS egress by default. <a href="https://www.picussecurity.com/resource/blog/volt-typhoon-living-off-the-land-cyber-espionage" rel="noopener" target="_blank">Attackers exploit this trust</a> to encode commands or stolen data within seemingly innocent queries, bypassing firewalls and micro-segmentation.<span>&nbsp;</span></p> </li> <li> <p><strong>Encryption Is Only Half the Story</strong></p> <p><a href="https://www.cisa.gov/sites/default/files/2024-05/Encrypted%20DNS%20Implementation%20Guidance_508c.pdf" rel="noopener" target="_blank">Federal Zero Trust guidance</a> now demands <i>both</i> encrypted DNS <i>and</i> centralized inspection. Agencies are required to route egress DNS through a Protective DNS service and prevent endpoints from talking directly to public resolvers, whether plain or encrypted.<span>&nbsp; </span><span></span></p> </li> <li> <p><strong>Fragmented Visibility Across Hybrid Environments</strong></p> <p>Cloud workloads, remote users, and IoT devices scatter DNS requests across multiple resolvers, breaking the audit trail. Without unified, policy-driven resolution, defenders struggle to correlate signals and enforce least privilege.</p> </li> </ol> <h3><strong>Lessons From Recent Headlines</strong></h3> <p>&nbsp;</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <thead> <tr> <th> <p><strong>Incident</strong></p> </th> <th> <p><strong>What Happened</strong></p> </th> <th> <p><strong>DNS Angle</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>SolarWinds Sunburst (2020-21)</strong></p> </td> <td> <p>Supply-chain malware embedded victim identifiers in DNS queries to <i>avsvmcloud.com</i> before fetching new C2 domains.</p> </td> <td> <p><a href="https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling" rel="noopener" target="_blank">DNS tunneling blended into normal traffic and evaded perimeter inspection.</a><span><a href="https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling" rel="noopener" target="_blank">&nbsp;</a> </span><span></span></p> </td> </tr> <tr> <td> <p><strong>Salt Typhoon Breach (2024-25)</strong></p> </td> <td> <p>Chinese APT maintained nine months of persistent access in a U.S. National Guard network.</p> </td> <td> <p><a href="https://www.wired.com/story/chinas-salt-typhoon-hackers-breached-the-us-national-guard-for-nearly-a-year" rel="noopener" target="_blank">Investigators observed covert DNS channels for lateral movement and data staging.</a><span><a href="https://www.wired.com/story/chinas-salt-typhoon-hackers-breached-the-us-national-guard-for-nearly-a-year" rel="noopener" target="_blank">&nbsp;</a> </span><span></span></p> </td> </tr> <tr> <td> <p><strong>Volt Typhoon Campaign (2023-present)</strong></p> </td> <td> <p>State-sponsored group targets U.S. critical infrastructure using “living-off-the-land” tactics.</p> </td> <td> <p><a href="https://www.picussecurity.com/resource/blog/volt-typhoon-living-off-the-land-cyber-espionage" rel="noopener" target="_blank">Uses DNS tunneling as a fallback C2 channel to hide in plain sight.</a><span><a href="https://www.picussecurity.com/resource/blog/volt-typhoon-living-off-the-land-cyber-espionage" rel="noopener" target="_blank">&nbsp;</a> </span><span></span></p> </td> </tr> <tr> <td> <p><strong>Subdomain Hijacking Spree (2025)</strong></p> </td> <td> <p>Attackers took over unused subdomains of Bose, Panasonic, and even the CDC to host malware.</p> </td> <td> <p><a href="https://www.techradar.com/pro/security/criminals-hijacking-subdomains-of-popular-websites-such-as-bose-or-panasonic-to-infect-victims-with-malware-heres-how-to-stay-safe" rel="noopener" target="_blank" id="__hsNewLink">Legitimate DNS records pointed to attacker-controlled hosts, bypassing URL filters.</a><span><a href="https://www.techradar.com/pro/security/criminals-hijacking-subdomains-of-popular-websites-such-as-bose-or-panasonic-to-infect-victims-with-malware-heres-how-to-stay-safe" rel="noopener" target="_blank" id="__hsNewLink">&nbsp;</a> </span><span></span></p> </td> </tr> </tbody> </table> <p>Across these breaches, DNS blind spots let threats bypass otherwise robust Zero Trust controls.</p> <h3><strong>How ThreatSTOP Protective DNS Closes the Gap</strong></h3> <p>&nbsp;</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <thead> <tr> <th> <p><strong>Zero Trust Pillar</strong></p> </th> <th> <p><strong>Protective DNS Contribution</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>Identify &amp; Verify</strong></p> </td> <td> <p>Our Security, Intelligence, and Research team curates thousands of feeds covering command and control, phishing, DDoS staging sites, peer-to-peer abuse, and more—blocking risky domains at the first lookup.</p> </td> </tr> <tr> <td> <p><strong>Least-Privilege Access</strong></p> </td> <td> <p><span><strong>DNS Defense Cloud</strong></span> enforces granular, identity-aware policies without extra hardware. <span><strong>DNS Defense</strong></span>applies the same policies on customer-managed resolvers, ensuring consistency on-prem and in the cloud.</p> </td> </tr> <tr> <td> <p><strong>Continuous Monitoring</strong></p> </td> <td> <p>Every query decision is logged in real time, giving auditors immutable evidence of compliance and giving responders rich forensic data.</p> </td> </tr> <tr> <td> <p><strong>Automated Enforcement</strong></p> </td> <td> <p><span><strong>IP Defense</strong></span> syncs block lists to routers, firewalls, AWS WAF, and other IP-based controls, shutting down fallback channels if DNS is bypassed.</p> </td> </tr> <tr> <td> <p><strong>Adaptive Response</strong></p> </td> <td> <p>Real-time analytics spotlight anomalies—like sudden spikes in DNS-over-HTTPS to unauthorized resolvers—so teams can act before damage occurs.</p> </td> </tr> </tbody> </table> <p>Protective DNS forms the connective tissue that lets identity, endpoint, and network controls make informed, risk-based decisions—turning Zero Trust theory into operational reality.</p> <h3><strong>Ready to Eliminate Your DNS Blind Spot?</strong></h3> <p>For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our <a href="/threatstop-platform" rel="noopener" target="_blank" id="__hsNewLink">product page</a>. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with <a href="https://admin.threatstop.com/register?hsLang=en" rel="noopener" target="_blank" id="__hsNewLink">a Demo today</a>!</p> <p>&nbsp;</p> <p><strong>Connect with Customers, Disconnect from Risks</strong></p> <h3><strong>MITRE ATT&amp;CK Mapping</strong></h3> <p>&nbsp;</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <thead> <tr> <th> <p><strong>Tactic</strong></p> </th> <th> <p><strong>Technique</strong></p> </th> <th> <p><strong>Relevance</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>Initial Access</strong></p> </td> <td> <p>T1190 Exploit Public-Facing Application</p> </td> <td> <p>Subdomain hijacking routes users to attacker hosts.</p> </td> </tr> <tr> <td> <p><strong>Execution / C2</strong></p> </td> <td> <p>T1071.004 DNS Application-Layer Protocol</p> </td> <td> <p>Sunburst, Volt Typhoon, and Salt Typhoon leveraged DNS tunneling for C2.</p> </td> </tr> <tr> <td> <p><strong>Exfiltration</strong></p> </td> <td> <p>T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol (DNS)</p> </td> <td> <p>Stealthy data leakage via TXT or CNAME records.</p> </td> </tr> <tr> <td> <p><strong>Defense Evasion</strong></p> </td> <td> <p>T1568.003 Hide Artifacts: DNS-based Obfuscation</p> </td> <td> <p>Attackers embed commands in legitimate-looking queries.</p> </td> </tr> <tr> <td> <p><strong>Command &amp; Control</strong></p> </td> <td> <p>T1090.003 Multi-hop Proxy</p> </td> <td> <p>DNS redirects and dangling CNAMEs create covert relay paths.</p> </td> </tr> </tbody> </table> <p>&nbsp;</p></span>
