Despite widespread adoption of defensive measures, most IT professionals believe their DNS infrastructure is not secure enough.
Enterprise Management Associates (EMA) recently published DDI Directions 2026, a market research report that explores enterprise strategies for DNS, DHCP, and IP address management (DDI). In that report, only 28% of DDI experts said they believe that their DNS infrastructure is completely secure.
The risk of insecure DNS
This pessimism about DNS security represents a major risk to enterprises. DNS is critical layer of infrastructure that translates human-readable domain names into IP addresses, making it a control plan for every networked application and service that an enterprise runs both internally and externally. DNS is both an attack vector and a means of obfuscation. For example, a denial-of-service attack on DNS can bring down digital services. Malicious actors often disguise command and control communications and data exfiltration as DNS query traffic. And criminals often try to redirect users to malicious sites via DNS abuse.
EMA’s research found that IT organizations are primarily concerned about the following DNS threats:
- Malicious redirections of users
- Distributed denial of service (DDoS) attacks
- DNS exfiltration and abuse
Moreover, DNS threats are becoming more sophisticated. Some 86% of enterprises have seen evidence of AI-enhanced DNS attacks. Threat actors use AI to rapidly iterate their attacks and make them more targeted, which pushes security measures to their limit.
Go deeper with DNS security
Most network security and cybersecurity vendors can protect DNS infrastructure and prevent DNS abuse with targeted policies. For example, URL filtering can block known malicious sites. Some of these security vendors have started selling DNS security solutions that go deeper.
On the other hand, DDI vendors and managed DNS providers offer more specialized DNS security solutions based on threat research, AI-driven behavioral analysis, and their overall DNS expertise.
EMA asked DDI decision-makers which type of vendor they trusted most to secure DNS. Nearly 55% said they trusted their general network security and cybersecurity vendors, while only 33% trusted DNS solution specialists. Our research suggests trust in general security vendors is misplaced. Survey respondents who trusted DNS solution providers were more likely to believe their DNS infrastructure was completely secure, while those who trusted general security providers were less secure. EMA recommends that enterprises go with the DNS experts to secure this infrastructure.
DNS security is a hybrid cloud issue
Many enterprises have siloed approaches to on-premises and cloud infrastructure. The network team builds and manages the on-premises network, including DNS infrastructure. The cloud team owns its own domain and manages its own DNS services. This can create DNS security silos, where policies, defensive measures, and security monitoring are inconsistent.
EMA research found that only 49% of DDI teams have enough influence over how DNS is implemented and managed in the public cloud. Survey respondents who reported having enough influence were more likely to believe their DNS is fully secure. With sufficient influence, DDI teams have more assurance that cloud teams are taking the right steps to secure DNS.
What does good DNS security look like?
EMA found that enterprises with secure DNS infrastructure tended to have:
- Confidence in their DDI data: They were aware of all DDI assets on their networks, including DNS. And they had strong discovery and reporting in place to make sure they could track changes to DNS.
- Their IP address management (IPAM) tools were integrated with more DNS infrastructure. This integration allows them to manage and track changes to DNS centrally in the IPAM tool, reducing opportunities for bad changes to open security vulnerabilities.
- DDI operations were highly automated, which drives efficiency but also reduces errors.
- DDI technology was integrated with network security controls, security monitoring tools, and identity and access management systems. This ensures the DDI stack and DNS infrastructure is plugged into the overall security ecosystem.
Finally, most enterprises reported that they were using specialized DNS security solutions such as DNS firewalls or DDoS protection to defend their networks. Most companies were also encrypting DNS traffic to prevent malicious actors from snooping and extracting intelligence from DNS queries.
What should you do next? Empower network engineering
EMA advises IT leaders to put DDI experts in charge of DNS security. Many organizations let cybersecurity take the lead. In fact, some DDI teams defer to cybersecurity on this issue under the assumption that cybersecurity has the expertise needed to protect DNS. In many cases, they do not.
Our research shows DNS tends to be more secure when the network engineering team responsible for DDI has ownership of DNS security. They understand its vulnerabilities, and they know how bad actors might abuse it. But it goes beyond protection. DNS security is about more than selecting the right security controls and monitoring tools. IT organizations need to improve overall design and management of DNS infrastructure. This means better discovery, monitoring, design, and ongoing management of DNS infrastructure.
Our research found that 40% of enterprises have experienced a security breach over the last two years attributable to mismanagement of DDI technology. In other words, it wasn’t the security measures that failed. It was the design and day-to-day management of DNS and other DDI assets that led to trouble. Network engineers are well positioned to take an integrated approach to DNS security, from design and management of DNS infrastructure to the security systems implemented to protect that infrastructure.