Zero Trust principles emphasize the importance of “never trust, always verify,” yet many deployments still grant attackers an initial advantage in the first step of every connection: DNS lookups. When DNS traffic bypasses scrutiny, identity verification, network segmentation, and encryption become ineffective, and adversaries are aware of this vulnerability.
Unrestricted Port 53 Becomes an On-Ramp for Attackers
CISA’s long-standing guidance recommends blocking all outbound UDP and TCP traffic on port 53 (and 853 for DNS-over-TLS) from anything except authorized resolvers. Using this approach, every query is routed through a centralized service, such as Protective DNS, effectively preventing tunneling and exfiltration attempts at the initial packet level.
Implicit Trust in Resolver Traffic
Even heavily segmented networks often allow DNS egress by default. Attackers exploit this trust to encode commands or stolen data within seemingly innocent queries, bypassing firewalls and micro-segmentation.
Encryption Is Only Half the Story
Federal Zero Trust guidance now demands both encrypted DNS and centralized inspection. Agencies are required to route egress DNS through a Protective DNS service and prevent endpoints from talking directly to public resolvers, whether plain or encrypted.
Fragmented Visibility Across Hybrid Environments
Cloud workloads, remote users, and IoT devices scatter DNS requests across multiple resolvers, breaking the audit trail. Without unified, policy-driven resolution, defenders struggle to correlate signals and enforce least privilege.
|
Incident |
What Happened |
DNS Angle |
|---|---|---|
|
SolarWinds Sunburst (2020-21) |
Supply-chain malware embedded victim identifiers in DNS queries to avsvmcloud.com before fetching new C2 domains. |
DNS tunneling blended into normal traffic and evaded perimeter inspection. |
|
Salt Typhoon Breach (2024-25) |
Chinese APT maintained nine months of persistent access in a U.S. National Guard network. |
Investigators observed covert DNS channels for lateral movement and data staging. |
|
Volt Typhoon Campaign (2023-present) |
State-sponsored group targets U.S. critical infrastructure using “living-off-the-land” tactics. |
Uses DNS tunneling as a fallback C2 channel to hide in plain sight. |
|
Subdomain Hijacking Spree (2025) |
Attackers took over unused subdomains of Bose, Panasonic, and even the CDC to host malware. |
Legitimate DNS records pointed to attacker-controlled hosts, bypassing URL filters. |
Across these breaches, DNS blind spots let threats bypass otherwise robust Zero Trust controls.
|
Zero Trust Pillar |
Protective DNS Contribution |
|---|---|
|
Identify & Verify |
Our Security, Intelligence, and Research team curates thousands of feeds covering command and control, phishing, DDoS staging sites, peer-to-peer abuse, and more—blocking risky domains at the first lookup. |
|
Least-Privilege Access |
DNS Defense Cloud enforces granular, identity-aware policies without extra hardware. DNS Defenseapplies the same policies on customer-managed resolvers, ensuring consistency on-prem and in the cloud. |
|
Continuous Monitoring |
Every query decision is logged in real time, giving auditors immutable evidence of compliance and giving responders rich forensic data. |
|
Automated Enforcement |
IP Defense syncs block lists to routers, firewalls, AWS WAF, and other IP-based controls, shutting down fallback channels if DNS is bypassed. |
|
Adaptive Response |
Real-time analytics spotlight anomalies—like sudden spikes in DNS-over-HTTPS to unauthorized resolvers—so teams can act before damage occurs. |
Protective DNS forms the connective tissue that lets identity, endpoint, and network controls make informed, risk-based decisions—turning Zero Trust theory into operational reality.
For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!
Connect with Customers, Disconnect from Risks
|
Tactic |
Technique |
Relevance |
|---|---|---|
|
Initial Access |
T1190 Exploit Public-Facing Application |
Subdomain hijacking routes users to attacker hosts. |
|
Execution / C2 |
T1071.004 DNS Application-Layer Protocol |
Sunburst, Volt Typhoon, and Salt Typhoon leveraged DNS tunneling for C2. |
|
Exfiltration |
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol (DNS) |
Stealthy data leakage via TXT or CNAME records. |
|
Defense Evasion |
T1568.003 Hide Artifacts: DNS-based Obfuscation |
Attackers embed commands in legitimate-looking queries. |
|
Command & Control |
T1090.003 Multi-hop Proxy |
DNS redirects and dangling CNAMEs create covert relay paths. |