10 DNS Threats You Didn't Know About — And How to Block Them

← Back to Blog

When people think about DNS security, they think about phishing and ad blocking. But the DNS layer is exploited by attackers in ways most people have never heard of. These aren't theoretical attacks — they happen every day, to millions of devices.

Here are 10 DNS-based threats and how modern DNS filtering stops each one.

DNS Amplification (ANY Query Abuse)

Attackers send DNS queries of type ANY to open resolvers, spoofing the victim's IP address. The DNS server replies with a massive response (sometimes 50x larger than the query) — flooding the victim with traffic. It's one of the most common DDoS amplification vectors.

Even if you're not the target, your DNS server can be used as a weapon in these attacks if it responds to ANY queries.

Protection: Block ANY queries entirely. Legitimate applications almost never use QTYPE ANY (RFC 8482 recommends deprecating it). Blocking it eliminates the amplification vector with zero impact on normal browsing.

CNAME Cloaking

This is the sneakiest tracking technique on the web. Instead of loading trackers from tracker.adcompany.com (which ad blockers easily block), websites create a CNAME record like analytics.yourfavoritesite.com that points to tracker.adcompany.com behind the scenes.

To your browser and most ad blockers, it looks like a first-party request — same domain as the website you're visiting. But the data goes straight to a third-party tracker. Companies like Criteo, Adobe Analytics, and Eulerian use this technique extensively.

Protection: DNS filtering inspects the CNAME chain after resolving the domain. If the final destination matches known tracker domains, the response is blocked — even though the initial domain looked innocent.

DNS Rebinding

This attack targets devices on your local network — your router, NAS, security cameras, smart home hubs. Here's how it works:

You visit evil-site.com in your browser
The site's DNS first returns a public IP (passes security checks)
Then it changes the DNS response to 192.168.1.1 (your router's local IP)
Your browser now thinks evil-site.com is your router — and sends requests to it
The attacker can now access your router's admin panel through your browser

This bypasses firewalls entirely because the request originates from inside your network.

Protection: Block any DNS response that resolves to a private IP address (10.x.x.x, 192.168.x.x, 172.16-31.x.x). Legitimate public domains should never resolve to local addresses.

DGA Malware (Domain Generation Algorithms)

When malware infects a device, it needs to contact its command-and-control (C2) server to receive instructions. If the C2 uses a fixed domain, security teams can block it easily. So modern malware uses algorithms to generate thousands of random-looking domains every day:

a8f3kx9p2m.com, xk29vm4pql.net, p3mx8fka2v.org...

The attacker registers just one of these domains. The malware tries all of them until it finds the active one. This makes traditional blocklists useless — by the time you block one domain, the malware has moved to another.

Protection: AI-based DGA detection analyzes domain names in real-time. Machine learning models trained on millions of DGA samples can identify algorithmically generated domains with high accuracy and block them before the malware connects.

DNS Tunneling

DNS tunneling hides data inside DNS queries. Attackers encode stolen data (passwords, files, credit card numbers) as subdomains:

dGhpcyBpcyBzdG9sZW4gZGF0YQ.evil-server.com

The DNS query looks normal to firewalls, but the subdomain is actually base64-encoded stolen data. The attacker's DNS server decodes it on the other end. This technique can also be used to tunnel entire network connections through DNS — bypassing corporate firewalls and captive portals.

Protection: Entropy analysis detects DNS tunneling. Normal domains have predictable patterns (real words, short labels). Tunneled domains have high entropy (random characters), unusually long labels, and abnormal subdomain frequency. Scoring-based detection catches these anomalies.

Fast-Flux Networks

Legitimate websites have stable IP addresses — google.com resolves to the same IPs for hours or days. Fast-flux domains change their IP addresses every few minutes, rotating through hundreds of compromised machines worldwide.

This makes it nearly impossible to shut down phishing sites, malware distribution networks, and botnets. By the time law enforcement contacts one hosting provider, the domain has moved to a different IP in a different country.

Protection: Fast-flux detection monitors how quickly a domain's IPs change and how many unique IPs it uses. Domains with abnormally high IP rotation are flagged and blocked automatically.

Newly Registered Domains (NRDs)

Studies consistently show that a disproportionate number of malicious domains are brand new. Attackers register domains, use them for phishing or malware distribution for a few hours or days, then abandon them.

Legitimate businesses rarely need you to visit a domain that was registered yesterday. Blocking domains less than 30 days old eliminates a huge percentage of phishing and scam sites before they even appear on traditional blocklists.

Protection: NRD (Newly Registered Domain) blocking automatically blocks any domain registered within the last 30 days. Combined with allowlists for legitimate new services, this dramatically reduces exposure to fresh threats.

OS-Level Telemetry

Your operating system constantly talks to its maker — Windows sends data to Microsoft, macOS to Apple, Android to Google. This telemetry includes:

App usage statistics
Hardware and software inventory
Location data
Crash reports with memory dumps
Typing patterns and voice samples (Cortana, Siri)

You can disable some of this in settings, but many telemetry domains are hardcoded and ignore your preferences.

Protection: Block known telemetry domains for Windows, macOS, Android, iOS, and smart TVs. DNS filtering catches telemetry that OS settings can't disable, because the block happens before the connection is established.

Canary Domain Bypass

Modern browsers and operating systems use "canary domains" to detect whether DNS filtering is active — and then bypass it. Firefox checks use-application-dns.net. If it resolves, Firefox assumes no DNS filtering is in place and enables its own DNS-over-HTTPS to Cloudflare, completely bypassing your network's DNS filter.

Apple's iCloud Private Relay does the same with mask.icloud.com — routing all DNS and web traffic through Apple's relay, invisible to your network's security.

Protection: Block canary domains so browsers and OS features don't detect an "open" DNS path. When use-application-dns.net is blocked, Firefox falls back to your configured DNS. When iCloud Private Relay domains are blocked, Safari uses your DNS normally.

Abusive TLDs

Not all top-level domains are equal. Some TLDs have extremely high abuse rates. According to Spamhaus, TLDs like .top, .xyz, .buzz, .rest, and .surf are disproportionately used for spam, phishing, and malware — often because they're cheap to register and have minimal verification.

Blocking entire TLDs is aggressive but effective. If you never need to visit a .top or .buzz website (and you almost certainly don't), blocking them eliminates thousands of potential threats.

Protection: TLD blocking lets you block entire top-level domains. A curated default list of 18 commonly abused TLDs provides immediate protection, and you can add or remove TLDs as needed.

Beyond these 10: Advanced DNS filtering also includes Safe Browsing (Google's real-time phishing/malware database), VirusTotal integration (crowd-sourced malware scanning), country-based filtering (block domains hosted in specific countries), and cybersquatting detection (domains impersonating popular brands).

Block All These Threats with UnveilDNS

Every protection listed above is built in — most enabled by default. No hardware, no software, just change your DNS and you're protected.

Get Started Free

Conclusion

DNS is the first thing that happens when you connect to anything on the internet. It's also the most underprotected layer in most networks. Attackers know this — that's why DNS-based attacks keep evolving.

The good news: by filtering DNS, you block threats at the earliest possible point. Before the connection. Before the download. Before the exploit. One setting, ten layers of protection.