Your DNS Is the Front Door to Your Business. Is Your IT Provider Locking It?
Most business owners have never thought about DNS. That’s exactly why it’s dangerous.
DNS — the Domain Name System — is the internet’s phone book. Every time an employee types a web address into a browser, sends an email, or connects to a cloud application, DNS is what translates that human-readable address into the numeric IP address computers need to find it. If DNS goes wrong, everything goes wrong. Employees get sent to fake websites. Sensitive credentials get harvested silently. Ransomware gets delivered through channels your security tools never inspect.
In 2024, researchers at Palo Alto Networks uncovered a campaign in which attackers compromised DNS servers managing approximately 70,000 domains, altering DNS records to redirect traffic to malicious sites. That wasn’t a state intelligence operation. It was a criminal enterprise monetizing the fact that most organizations don’t monitor their DNS infrastructure.
That event wasn’t an outlier. It was a symptom of a systemic blind spot — one your IT provider should be managing and most aren’t.
The BIND 9 Wake-Up Call
In October 2025, three critical vulnerabilities were disclosed in BIND 9, the software that powers the majority of the internet’s DNS infrastructure. Two of those vulnerabilities — CVE-2025-40778 and CVE-2025-40780 — scored 8.6 on the CVSS severity scale and enabled DNS cache poisoning attacks.
Let’s break that down. DNS resolvers cache records so they don’t have to look up the same address repeatedly. Cache poisoning is what happens when an attacker injects fake records into that cache. Your employees type in their bank’s URL, and the resolver sends them to the attacker’s clone site. Credentials get stolen. Money gets transferred. And from the user’s perspective, nothing looked wrong.
According to analysis published by Senki, the CVE-2025-40778 flaw allowed attackers to inject forged DNS records with as few as one to two packets. Proof-of-concept exploit code was publicly released. Over 706,000 vulnerable internet-facing instances were identified by Censys.
This isn’t theoretical. It’s the measured attack surface of a single vulnerability class, discovered in the software most of the internet depends on.
How DNS Attacks Actually Hit Businesses
There are three primary ways DNS gets compromised, and your IT provider should have defenses for all of them.
1. Router Hijacking
Most small businesses run on a single ISP-supplied router handling DHCP, NAT, firewall, and DNS. If an attacker compromises that router — often through default credentials or unpatched firmware — they can change the DNS settings to point to a server they control. Every device on the network follows silently. No alerts. No browser warnings on HTTP sites.
As research from The Small Business Cybersecurity Guy documents, router-based DNS hijacking is one of the most common and least detected attacks against UK SMBs, and the same vulnerability profile applies to US businesses.
2. DNS Cache Poisoning
This is the BIND 9 scenario. An attacker poisons a recursive resolver’s cache, and every downstream user gets redirected. Historical precedent is sobering: a 2011-2013 mass poisoning campaign against Brazilian ISPs redirected an estimated 73 million users to credential theft sites over ten months.
3. DNS Tunneling for Data Theft
This is the attack most IT providers don’t look for. Exfiltrated data gets encoded into DNS queries — which are almost never inspected by security tools — and sent to attacker-controlled name servers. Your firewall sees normal DNS traffic. Your SIEM ignores it. Meanwhile, customer records, financial data, and intellectual property are walking out the front door in packets that are, by design, allowed to leave the network.
What Your IT Provider Should Be Doing
If your IT provider can’t answer these questions satisfactorily, you have a gap — and gaps in DNS security don’t stay theoretical for long.
| What to Ask | What a Competent Answer Looks Like |
|---|---|
| Do you monitor our DNS queries for anomalies? | Yes — we use [specific tool] to log and analyze DNS traffic for signs of hijacking, tunneling, or rogue resolution. |
| Are our DNS resolvers patched and current? | Yes — we track ISC advisories and our infrastructure is on [specific version], last patched on [date]. |
| Do we use Protective DNS or DNS filtering? | Yes — we use [Cisco Umbrella / DNSFilter / Cloudflare Gateway] to block known malicious domains at the DNS level. |
| Are our router and DNS settings audited regularly? | Yes — we audit router firmware and DNS settings quarterly, and we have alerts for unauthorized changes. |
| What happens if our DNS is compromised? | Here is our documented response procedure, including cache flushing, record verification, and upstream provider notification. |
The DNS-to-Ransomware Pipeline
There is a direct line between unsecured DNS and the ransomware epidemic devastating small businesses. According to the FBI’s Internet Crime Complaint Center, cyber-enabled fraud losses exceeded $21 billion in 2025, with 85% of losses coming from social engineering — phishing, business email compromise, and credential theft. DNS hijacking is one of the most effective delivery mechanisms for all three.
The 2026 ransomware data is unambiguous: 88% of ransomware incidents hit small and midsize businesses, and U.S. ransomware attacks increased 50% in the first ten months of 2025 compared to 2024.
When an attacker poisons your DNS or hijacks your router, the payload they deliver is often ransomware. The delivery mechanism is invisible. The result is not.
The Backup Provider DNS Hijacking Case
In 2018, attackers redirected users of MyEtherWallet — a cryptocurrency wallet service — by hijacking BGP routing and DNS responses to point traffic through malicious servers. Over $150,000 in cryptocurrency was stolen in hours. The users did nothing wrong. They typed in the correct URL. The infrastructure failed them.
The same technique has been used against banks, healthcare providers, government agencies, and small businesses globally. In 2019, the Sea Turtle hacking group systematically compromised DNS registrar accounts to hijack domains across 40 government agencies and private organizations in the Middle East and North Africa. The Sea Turtle campaign demonstrated that DNS hijacking at scale isn’t just criminal activity — it’s a nation-state playbook that trickles down to commodity attacks.
What You Can Do Right Now
You don’t need to become a DNS engineer. You need to ask the right questions and verify the answers.
1. Ask your IT provider for a DNS security assessment. If they can’t produce one, that’s your answer about their capabilities in this area.
2. Verify your router DNS settings. Check what DNS servers your network is actually using. If they’re not what your IT provider configured, something has changed — either through compromise, firmware reset, or human error.
3. Demand Protective DNS. At minimum, your business should be using a DNS resolution service that blocks known malicious domains. Cloudflare’s 1.1.1.2 and Quad9’s 9.9.9.9 are free starting points. A competent MSP will deploy enterprise-grade protective DNS with logging and threat intelligence.
4. Include DNS in your incident response plan. If your business doesn’t have a documented procedure for responding to DNS compromise, you’re assuming it won’t happen. Given that 88% of ransomware attacks hit SMBs, that assumption is expensive.
DNS Is Infrastructure. Treat It That Way.
Your IT provider manages your firewalls, your endpoints, your backups, and your email security. If they’re not equally disciplined about DNS — monitoring it, patching it, logging it, and auditing it — they’re securing the perimeter while leaving the back door wide open.
The question isn’t whether your business is a target. It’s whether your IT provider is managing one of the most critical and most neglected layers of your security stack. Ask them. Now.
Frequently Asked Questions
What is DNS and why should I care about it as a business owner?
DNS (Domain Name System) translates website names into IP addresses so computers can find them. If an attacker manipulates your DNS, employees can be silently redirected to fake websites that steal credentials or deliver malware — without any visible warning. It’s the internet’s phone book, and if it’s lying to you, everything built on it is compromised.
How do I know if my DNS has been compromised?
Most DNS compromises are invisible to end users. Signs can include unexpected SSL certificate warnings, websites that load slowly or look slightly different, or antivirus alerts after visiting normally trusted sites. The only reliable detection method is DNS traffic monitoring by your IT provider, which most small businesses don’t have.
Is using Google DNS (8.8.8.8) or Cloudflare DNS (1.1.1.1) enough?
These are reliable public resolvers, but they don’t provide security filtering by default. Cloudflare offers 1.1.1.2 (malware blocking) and Quad9 offers 9.9.9.9 (malware and phishing blocking) as free alternatives with basic protection. Enterprise-grade protective DNS with logging, custom policies, and threat intelligence is what a competent MSP should deploy.
How often should DNS infrastructure be audited?
Router DNS settings, resolver configurations, and domain records should be reviewed at least quarterly, with automated alerting for unauthorized changes. After the October 2025 BIND 9 vulnerabilities were disclosed, any unpatched recursive resolver became an immediate liability — patching cadence matters as much as configuration.
What’s the difference between DNS hijacking, DNS spoofing, and cache poisoning?
DNS hijacking is the broadest category — redirecting DNS resolution through unauthorized means. DNS spoofing specifically refers to forging DNS responses (often via man-in-the-middle attacks). Cache poisoning is inserting forged records into a resolver’s cache so all downstream users receive bad results. All three achieve the same goal: sending your people somewhere they shouldn’t go.
About Brent Lacy: Brent Lacy is the author of Rewired MSP: Mastery, Scalability & Performance, vCIO Rewired: Virtually Conquering IT Obstacles, and Near Miss: Preventable IT Failures Threatening Your Business Security. With over 20 years in the managed services industry, Brent writes about the网络安全 discipline, trust-based relationships, and strategic thinking that separate MSPs built to last from those built to bill.
Related Articles:
