DNS, the Domain Name System is often described as the phone book of the Internet. Every digital action, from visiting a Web site to sending an e-mail, begins with a DNS request. This is precisely why DNS is an attractive target for cybercriminals. The Infoblox 2025 DNS Threat Landscape Report shows that DNS is no longer a neutral base layer, but a crucial line of defense.
The main DNS threats
Explosion of new domains
Infoblox analyzed more than 70 billion DNS queries per day in 2025 and discovered more than 100 million new domains. As many as 25% of these domains were suspicious or malicious. Cybercriminals are increasingly deploying one-time-use domains: temporary websites that disappear after use, making detection and investigation particularly difficult.
Domain hijacking and reputation abuse
A common method is to abuse poorly managed DNS records or forgotten cloud resources. These so-called Sitting Ducks attacks result in existing, legitimate domains being hijacked. Even universities and government agencies were found to be victims. The risk: users trust the domain name, while the content is malicious.
Lookalike domains and typosquatting
In addition, the number of lookalike domains is increasing sharply. These are domains that resemble well-known brand names, for example by using a zero instead of an “o” or additions such as “-login.” In May 2025 alone, 28,331 lookalike domains were registered. These are used for phishing, fake MFA pages and fraudulent emails.
AI as an accelerator of threats
Generative AI makes attacks smarter and faster. Think deepfake videos used for fraud or AI chatbots that manipulate victims for long periods of time. Research shows that 88% of AI-generated malware manages to evade detection. That makes AI both a threat and an opportunity for defenders.
How organizations can protect themselves
Incorporating DNS into your security strategy
Many companies still see DNS as a technical prerequisite. In reality, it’s one of the first places you can spot attacks. Analyzing and monitoring DNS data gives security teams early insight into anomalous behavior.
Proactive monitoring and threat intelligence
- DNS log analysis: identifying anomalous query patterns.
- Threat intelligence: linking current lists of rogue domains to DNS data.
- Protective DNS: block suspicious domains immediately, even before a user reaches the website.
Protection against lookalikes and hijinks
- Domain monitoring: monitor variations on your brand and domain names.
- DNS hygiene: remove unused records and check configurations.
- DMARC, DKIM and SPF: Strengthen your email security and prevent phishing via domain impersonation.
Cloudflare and AdGuard
Cloudflare Gateway and AdGuard DNS both provide powerful capabilities to protect organizations from malicious domains.
- Cloudflare Gateway delivers an Enterprise Protective DNS solution that immediately blocks suspicious or malicious domains. It integrates seamlessly with Zero Trust architectures and supports hybrid workstations, allowing employees to work securely anywhere.
- AdGuard DNS is increasingly being used for business purposes and offers, among other things, the ability to block newly registered domains (NRDs). Because cybercriminals often use these very domains for phishing or malware campaigns, NRD blocking significantly reduces the chances of successful attacks.
By combining Cloudflare and/or AdGuard, organizations gain not only proactive protection, but also greater visibility and control over their DNS traffic without sacrificing usability.
Conclusion
DNS is no longer a technical sideshow, but a strategic layer of defense. With the explosion of new domains, domain hijacking, lookalike attacks and AI-driven malware, the risk is greater than ever.
Those who ignore DNS give attackers free rein.
Those who deploy DNS as a security tool with monitoring, threat intelligence and solutions such as Cloudflare or AdGuard reduce the chances of attacks even before they really start.