91%
of malware uses DNS for command-and-control communications
33%
of organizations have no DNS logging in place, leaving C2 beaconing completely invisible
70%
of phishing domains are newly registered and detectable through DNS category filtering
47%
reduction in malware-related incidents reported by organizations that deployed DNS filtering

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

DNS is the most underused security control in enterprise environments. It sits in the path of nearly every network communication, it is fast to deploy relative to network-layer controls, it requires no endpoint agent for enforcement, and it logs everything about where systems are trying to communicate. Despite these properties, most enterprises route DNS queries to a public resolver like 8.8.8.8 or 1.1.1.1 with no filtering, no logging, and no awareness of what their endpoints are actually resolving. The result is that command-and-control beaconing from malware goes undetected, phishing domains resolve without any blocking opportunity, and DNS tunneling carries data out of the network with no visibility. This guide covers the DNS security controls that change that: filtering deployment, DoH/DoT enforcement to prevent resolver bypass, DNSSEC validation, resolver logging, and the queries that surface C2 beaconing and DNS tunneling in the log data.

Why DNS Is the Most Underused Security Control

Malware communicates with command-and-control infrastructure using DNS in over 90% of cases, not because DNS is particularly well-suited to covert communication but because it is universally allowed. Network firewalls that block direct outbound connections on non-standard ports still allow port 53 outbound to any destination, because blocking it breaks internet resolution for end users. Malware authors have exploited this consistently for decades: the initial callback from a compromised endpoint to a C2 domain, the retrieval of additional payloads, the periodic heartbeat that confirms the implant is alive, and in many cases the actual data exfiltration channel all use DNS. An enterprise that controls and monitors DNS has visibility into all of these communications at a single choke point.

The operational simplicity of DNS security is also underappreciated. Deploying a proxy or network inspection appliance requires traffic redirection, certificate management for TLS inspection, and significant operational overhead to avoid breaking applications. Deploying a DNS filtering resolver requires changing a DHCP server configuration to hand out the filtering resolver's IP instead of the public resolver's IP, or pushing a GPO/MDM configuration to endpoint resolver settings. The change takes minutes, affects every device on the network that uses DHCP, requires no certificate infrastructure, and provides immediate filtering and logging for all DNS queries. No other security control provides comparable coverage per unit of deployment effort.

DNS filtering also provides a meaningful layer of defense against phishing that operates independently of endpoint agent and email gateway controls. When a user clicks a phishing link, the browser makes a DNS query for the phishing domain before it makes any HTTP connection. A DNS filtering resolver that recognizes the domain as a phishing site returns a block page or NXDOMAIN response before the browser connects, regardless of whether the endpoint has an up-to-date web filtering agent or the email gateway failed to flag the original message. This independence from endpoint agent state makes DNS filtering especially valuable for protecting endpoints that have fallen behind on agent updates or for guest network segments where no endpoint management is in place.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

DNS Filtering: Categories, Products, and Deployment

DNS filtering works by routing all DNS queries through a resolver that maintains threat intelligence feeds and category databases. When a query arrives for a domain, the resolver checks it against known malware infrastructure, phishing domains, C2 callback addresses, newly registered domains, and content categories. Depending on policy configuration, the resolver either allows the query to resolve normally, returns a block page IP, or returns NXDOMAIN. The filtering decision happens in milliseconds and is transparent to the application making the query.

Cisco Umbrella (formerly OpenDNS) and Cloudflare Gateway for Teams are the two most widely deployed DNS filtering platforms for enterprise environments. Umbrella uses Cisco Talos threat intelligence and a large global resolver network, provides detailed query logs, supports policy by network segment and identity group, and integrates with Cisco SecureX and SIEM platforms. Cloudflare Gateway is part of the Cloudflare Zero Trust stack, uses Cloudflare's threat intelligence augmented by third-party feeds, provides per-user policy enforcement tied to the WARP client identity, and has competitive pricing for organizations already using Cloudflare. Palo Alto DNS Security is integrated into the PAN-OS firewall and uses the WildFire and Unit 42 threat feeds; it is the natural choice for organizations where the Palo Alto firewall is already the DNS path. All three platforms provide real-time blocking of known malicious domains, category-based filtering (newly registered domains, adult content, gambling, anonymizing proxies), and query logging for SIEM export.

Deploying DNS filtering without breaking legitimate traffic requires a staged approach. The first stage is passive logging: configure the filtering resolver in logging-only mode (or use a secondary resolver that logs all queries without filtering) for two to four weeks to establish a baseline of what your environment queries. Review the query logs for domains that would be blocked under standard threat category policies. Identify and allowlist domains that are legitimate business tools but may be miscategorized. In the second stage, enable blocking for high-confidence categories only: known malware, known C2 infrastructure, and known phishing domains. These categories have very low false positive rates. In the third stage, add blocking for newly registered domains (registered in the last 30 days) and domains with no categorization history, which is where most new phishing and malware infrastructure appears. Newly registered domain blocking has higher false positive potential for legitimate new services, requiring an allowlist maintenance process.

Endpoint-based DNS enforcement (pushing the filtering resolver via MDM/GPO to endpoint DNS settings rather than only via DHCP) ensures that endpoints that leave the corporate network continue to use the filtering resolver. Most DNS filtering platforms provide a lightweight agent or can integrate with the existing endpoint management agent to enforce the resolver setting on mobile endpoints. Without endpoint enforcement, remote workers whose home routers use 8.8.8.8 bypass DNS filtering entirely.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Controlling DoH and DoT to Prevent Resolver Bypass

DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are protocols that encrypt DNS queries between the client and the resolver, preventing on-path interception and manipulation. They are beneficial from a privacy standpoint but create a significant problem for enterprise DNS security: a browser or application that uses DoH sends its queries directly to a public resolver like https://cloudflare-dns.com/dns-query or https://dns.google/dns-query, bypassing the corporate DNS filtering resolver entirely. From the network's perspective, this traffic looks like normal HTTPS on port 443, making it very difficult to block without TLS inspection.

Browsers are the primary source of DoH bypass in enterprise environments. Firefox has DoH enabled by default in the United States and sends DNS queries to Cloudflare unless a canary domain check indicates that the network has its own DNS policy. Chrome supports DoH via its Secure DNS feature, which upgrades queries to DoH to the same provider if the configured resolver supports it. In enterprise environments where the DNS resolver does not support DoH, Chrome falls back to unencrypted DNS, but Firefox may continue using its hardcoded DoH resolver regardless. Controlling this through browser policy is the most reliable approach: the DnsOverHttpsMode policy in Chrome Enterprise and the network.trr.mode preference set via policy in Firefox both allow the enterprise to explicitly disable DoH or force DoH to use the enterprise resolver.

For non-browser applications that implement DoH or DoT, network-layer enforcement is required. Blocking outbound TCP/UDP port 853 (DoT) prevents most DoT clients from bypassing corporate DNS. Blocking known DoH resolver IPs (Cloudflare 1.1.1.1, Google 8.8.8.8, and others) and blocking outbound port 443 to known DoH resolver hostnames via a firewall URL filtering rule are additional layers. However, DoH traffic to arbitrary HTTPS endpoints is difficult to block without TLS inspection because it is indistinguishable from regular HTTPS traffic at the network layer. The most effective combination is browser policy to disable DoH in browsers (covering the majority of enterprise DNS bypass risk) plus firewall rules to block known DoH resolver IPs for residual non-browser cases.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

DNSSEC and Split-Horizon DNS

DNSSEC (DNS Security Extensions) provides cryptographic verification that DNS records have not been tampered with in transit. When a DNSSEC-signed zone serves a response, it includes a digital signature that the resolver can verify using the zone's public key. If an attacker intercepts a DNS response and modifies it (DNS cache poisoning), the signature verification fails and the resolver returns SERVFAIL instead of the tampered record. DNSSEC validation protects against a specific threat model: on-path DNS response manipulation and cache poisoning attacks. It does not protect against a malicious but valid DNS record, and it does not evaluate whether the domain being resolved is benign or malicious.

Enterprise resolvers should have DNSSEC validation enabled. Most modern DNS resolver software (BIND, Unbound, PowerDNS Recursor) validates DNSSEC by default in current versions. Commercial filtering resolvers (Umbrella, Cloudflare Gateway) validate DNSSEC as part of their resolution process. The key operational consideration is that DNSSEC validation causes resolution failures for domains with broken signatures, which does occur for legitimate domains. When users report resolution failures for specific domains, checking whether DNSSEC is causing the failure (the domain has a signature but it does not verify) requires querying with the +dnssec flag using dig and checking for SERVFAIL responses: dig +dnssec example.com.

Split-horizon DNS serves different DNS responses to internal versus external clients for the same domain name. The canonical use case is an organization that has a public DNS record for app.example.com pointing to a public IP, and an internal DNS record pointing to the private IP of the same application. Internal clients resolve the internal IP and communicate directly; external clients resolve the public IP and go through the perimeter. Without split-horizon DNS, internal clients either route through the perimeter unnecessarily (hairpin routing) or cannot access the service at all if it does not have a public-facing component. Implementing split-horizon requires two authoritative zones for the same domain name: one served to internal resolvers and one served to public resolvers. When the internal zone exists, it must be kept synchronized with the public zone for records that should have the same value internally and externally, and changes to public records must be reflected in the internal zone to avoid split-brain inconsistencies.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Resolver Logging and C2 Beaconing Detection

DNS resolver logging is the foundation of DNS-based threat detection. Every query processed by the resolver should be logged with at minimum: the queried domain, the record type (A, AAAA, MX, TXT, etc.), the response returned, the timestamp, and the source IP address of the client making the query. In environments with user-to-IP mapping available (Active Directory authentication logs correlated with DHCP leases), adding the username or hostname to the resolver log greatly increases the value of the data for investigation.

C2 beaconing via DNS has recognizable statistical signatures. Malware implants that use DNS for command-and-control typically query a specific domain or set of domains at a regular interval to receive instructions. The detection pattern is: a single source IP making repeated DNS queries to the same domain over an extended period at a consistent interval (e.g., every 60 seconds, every 5 minutes). Query frequency that is higher than typical user browsing patterns for a single domain, without corresponding HTTP traffic to the same destination, is a strong indicator. SIEM queries that group DNS queries by source IP and queried domain, counting query frequency over a 24-hour window, and alerting on source IPs with more than 100 queries to a single domain in 24 hours (with no corresponding HTTP session to that domain) surface this pattern reliably in most environments.

NXDOMAIN rate is another valuable detection signal. Domain Generation Algorithm (DGA) malware generates hundreds or thousands of pseudo-random domain names and queries them, expecting only one or a few to resolve (the C2 infrastructure registered for that day). The result is a high NXDOMAIN rate from the infected endpoint. A source IP with more than 20 NXDOMAIN responses in a 10-minute window is worth investigating. Legitimate browsing generates occasional NXDOMAIN responses for mistyped URLs or broken links, but not at the volume produced by DGA queries.

DNS tunneling uses the DNS protocol to carry arbitrary data by encoding it in query strings, subdomain labels, or TXT record responses. Data exfiltration via DNS tunneling encodes the data to be exfiltrated in subdomain labels of a domain controlled by the attacker: base64encodeddata.attacker.com. The detection signatures for DNS tunneling include: abnormally long query strings (subdomain labels longer than 50 characters), high query frequency to subdomains of a single second-level domain without a corresponding browsing session, and high volume of TXT record queries (legitimate use of TXT records is limited; most browsing does not generate TXT queries). A SIEM rule alerting on source IPs that generate more than 50 queries with subdomain labels exceeding 40 characters in a one-hour window surfaces most DNS tunneling activity.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Sinkholing and Using Filtering Data for Intelligence

DNS sinkholing is the technique DNS filtering providers use to handle blocked domains. Instead of returning NXDOMAIN (which tells the malware or phishing page that the domain was blocked), the filtering resolver returns the IP address of a sinkhole server controlled by the filtering provider. The malware connects to the sinkhole IP instead of the real C2 server. The sinkhole logs the connection attempt, and the filtering provider aggregates these connection records and makes them available as sinkhole hit data in their management console or API.

Sinkhole hit data is extremely valuable for threat hunting and incident response. When an endpoint in your organization makes a connection to a sinkhole IP, it means the endpoint's malware attempted to contact a known C2 domain, and the filtering resolver intercepted it. The sinkhole hit record includes the endpoint IP, the domain that was blocked, the timestamp, and in some platforms the malware family associated with that C2 domain based on threat intelligence. A sinkhole hit is a confirmed indicator of active malware on the source endpoint, making it one of the highest-fidelity detection signals available from DNS filtering platforms. Sinkhole hits should map directly to incident response workflow: the source IP should be isolated and investigated immediately.

Umbrella and Cloudflare Gateway both provide APIs for exporting sinkhole hit data and DNS query logs to external systems. Integrating DNS filtering logs into your SIEM or security data lake enables correlation with endpoint logs, authentication logs, and network flow data. A DNS query to a C2 domain (sinkhole hit) from an endpoint, followed by an authentication event from that same endpoint IP within the next hour, warrants investigation for lateral movement. DNS filtering logs in a SIEM also enable retrospective analysis: when a new indicator of compromise is published for a malware campaign, querying historical DNS logs for queries to the published C2 domains surfaces endpoints that were communicating with that infrastructure before the indicator was added to the blocking feed.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

DNS filtering is the security control with the best ratio of deployment effort to coverage breadth. Deploying a filtering resolver, pushing it to endpoints via DHCP and MDM, enabling Data Access logging, and blocking DoH in browser policy takes one to two days of work and immediately covers every device on the network for C2 beaconing, phishing domain resolution, and newly registered domain access. The resolver logs that come with this deployment are the source of some of the highest-fidelity detection signals available: DGA NXDOMAIN floods, periodic C2 beaconing signatures, DNS tunneling long-subdomain patterns, and sinkhole hits that confirm active malware with no ambiguity. Most organizations have significantly better email gateway and endpoint security coverage than DNS security coverage; DNS is where the gap closes fastest.

Frequently asked questions

Will deploying DNS filtering break legitimate business applications?

Some legitimate applications may use domains in categories that DNS filtering blocks, particularly newly registered domains (a category with high false positive potential for new vendor tools) and domains with no categorization history. The mitigation is a staged deployment: run the filtering resolver in passive logging mode for two to four weeks, identify domains that would be blocked under standard category policies, add legitimate business domains to an allowlist before enabling blocking. This process catches the most common breakage scenarios before they affect users. Ongoing allowlist management handles new legitimate applications that appear after initial deployment.

How does DoH bypass enterprise DNS filtering and how do I stop it?

DNS-over-HTTPS sends DNS queries encrypted over HTTPS directly to a public resolver, bypassing the enterprise resolver entirely. From the network, it looks like normal HTTPS traffic. The most effective countermeasure is browser policy: use the Chrome DnsOverHttpsMode GPO/MDM policy set to off, and set Firefox network.trr.mode to 5 via managed preferences. These settings cover the browsers that generate the vast majority of enterprise DNS queries. For non-browser applications, block outbound port 853 (DoT) and add firewall rules blocking known DoH resolver IPs on port 443.

What is the difference between DNS filtering and DNS monitoring without filtering?

DNS filtering resolvers actively block queries to malicious or policy-violating domains by returning a block page IP or NXDOMAIN. DNS monitoring logs all queries and generates alerts on suspicious patterns without blocking them. Both require routing queries through a controlled resolver. Monitoring-only provides visibility and detection but allows malware C2 communications to complete. Filtering provides blocking in addition to logging but requires more careful allowlist management to avoid blocking legitimate traffic. Most enterprise deployments start with monitoring only to establish a baseline, then add blocking after validating the allowlist.

How do I detect DNS tunneling in resolver logs?

DNS tunneling has three main statistical signatures in resolver logs. First, abnormally long query strings: subdomain labels exceeding 40 characters are rare in legitimate traffic and common in tunneled data encoded in DNS. Second, high query frequency to subdomains of a single second-level domain: tunneling tools make many queries per minute, while legitimate browsing generates few queries per domain. Third, high TXT record query volume: tunneling tools commonly use TXT records for responses. A SIEM rule flagging source IPs that generate more than 50 queries with subdomain labels over 40 characters in one hour, or more than 10 TXT record queries per minute, surfaces most DNS tunneling activity.

Should internal DNS servers validate DNSSEC?

Yes. Enterprise recursive resolvers should have DNSSEC validation enabled, and most modern resolver software enables it by default. Validation protects against DNS cache poisoning attacks where an attacker injects false records into a resolver's cache. The main operational consideration is that DNSSEC validation causes SERVFAIL responses for domains with broken or expired signatures, which can affect users trying to access legitimate domains. When users report resolution failures, check whether DNSSEC validation is the cause using dig with the +dnssec flag. Maintain an exception list for domains with known signature issues when the domain owner has not yet corrected them.

Sources & references

  1. CISA DNS Security Guidance
  2. RFC 8484 DNS Queries over HTTPS (DoH)
  3. NIST SP 800-81-2 Secure DNS Deployment Guide
  4. Cisco Umbrella DNS Security Documentation
  5. Cloudflare Gateway DNS Filtering Docs

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.