July 12, 2026
DNS Abuse Trends Every Security Team Should Monitor
DNS is often called the phonebook of the internet, but for security teams it’s better described as an early warning system. Almost every…

By Paritosh
5 min read
DNS is often called the phonebook of the internet, but for security teams it's better described as an early warning system. Almost every attack, whether it's phishing, malware delivery, command and control communication, or a volumetric DDoS flood, touches DNS at some point. That makes DNS traffic one of the richest sources of threat signal available, and also one of the most heavily abused layers of internet infrastructure.
Below are the DNS abuse trends that security teams should be watching closely in 2026, along with why each one matters and what to do about it.
1. New Domains Are Still the Bad Actors' Favorite Weapon
Attackers overwhelmingly prefer newly registered domains over compromising established ones. Research on DNS threat traffic found that more than 65% of unique threat domains are composed of new domains. New domains are cheap, disposable, and haven't built up any reputation history, good or bad, which makes them easy to slip past traditional blocklists.
What to do: Treat domain age as a first class risk signal. Many protective DNS and secure web gateway platforms let you flag or block traffic to domains registered within the last 24 to 72 hours. This single rule blocks a disproportionate share of phishing and malware campaigns before any other detection even kicks in.
2. AI Is Accelerating Both Attack Creation and Abuse Volume
AI tools are lowering the barrier to entry for building malicious infrastructure. Attackers are now using AI's automation capabilities to work faster and launch attacks with minimal effort, spinning up new domains and assets rapidly and cheaply. This isn't limited to malware and phishing either; brute force and credential stuffing attacks are increasingly AI assisted too.
The scale is becoming hard to ignore. One major protective DNS provider reported that AI related query traffic on its network exceeded 6 billion between October 2024 and September 2025 alone, and the average internet user encountered 30% more threats over the same period, rising to roughly 66 threats per day compared to 29 the year before.
What to do: Assume that domain generation, content cloning, and lure creation are now largely automated on the attacker side. Static, manually curated blocklists can't keep pace. Behavioral and anomaly based detection needs to carry more of the weight going forward.
3. DNS Amplification Is Back on Top as a DDoS Vector
After years of memcached dominating amplification attacks, DNS has reclaimed the top spot. DNS amplification overtook memcached as the leading amplification vector for the first time since 2021, driven by a 340% increase in open DNS resolver abuse tied to misconfigured home routers and IoT devices exposed by ISPs that don't enforce source address validation.
This trend is compounded by attackers increasingly combining techniques rather than relying on a single vector. Nearly 40% of observed incidents involved two or more attack families used simultaneously, up sharply from about a fifth of incidents the year before, making single layer defenses far less effective than they used to be.
What to do: Audit whether your organization is inadvertently running an open resolver. Enforce BCP38 source address validation on your own network edge, and work with upstream providers who do the same. If you operate DNS infrastructure, rate limit responses and monitor for abnormal response size distributions.
4. DNS Tunneling for Data Exfiltration and Command and Control
DNS tunneling remains a favorite technique precisely because DNS traffic is rarely inspected as closely as HTTP or HTTPS traffic. Attackers encode stolen data or command and control instructions inside DNS queries and responses, letting malware talk to its operators through a channel that most firewalls wave straight through.
What to do: Monitor for the classic tunneling fingerprints: unusually long subdomain labels, high query volume to a single domain, high entropy in subdomain names, and TXT or NULL record queries that don't match normal application behavior. Several open source and commercial tools now build detection models specifically for this pattern.
5. NXDOMAIN and Random Subdomain Floods
Rather than attacking a target's web server directly, attackers increasingly flood DNS resolvers and authoritative servers with queries for subdomains that don't exist. Random subdomain attacks bypass caching entirely, since every query is unique, which forces the authoritative server to do full resolution work for every single request and can exhaust CPU and memory.
What to do: Deploy response rate limiting and query throttling on authoritative servers, and use anomaly detection to catch sudden spikes in NXDOMAIN response rates, which is often the clearest early signal that this kind of attack is underway.
6. Domain Security Hygiene Remains Inconsistent, Even at the Top
You'd expect the largest, best resourced organizations to have DNS security fundamentals locked down. The data says otherwise. DMARC adoption among the Global 2000 sits at roughly 80%, while DNSSEC and CAA record adoption across the same group remains at just 11%, despite steady growth since 2020. Even more strikingly, only about 1% of fast growing unicorn companies use DNS redundancy, with nearly 90% relying on a single cloud infrastructure provider.
What to do: Don't assume your DNS posture is fine just because you're a large or well funded organization. Run through the basics: DNSSEC, CAA records, DMARC/SPF/DKIM, and genuine multi provider redundancy rather than redundancy that collapses to a single cloud region under the hood.
7. CSAM and Illicit Content Distribution via DNS Is Rising Sharply
This trend deserves attention for reasons beyond conventional cyber risk. One large protective DNS provider blocked 44% more child sexual abuse material in 2025 than the year before, and partner data showed an extraordinary spike in AI generated CSAM video content detected over the same period. While this is primarily a content safety and legal compliance issue rather than a traditional intrusion vector, it increasingly overlaps with the same malicious domain infrastructure security teams already track, and enterprise content filtering policies need to account for it.
What to do: If your organization runs protective DNS or web filtering, make sure CSAM and illicit content categories are enabled and kept current, not just malware and phishing categories. This is as much a duty of care issue as it is a security one.
8. Attack Costs Are Climbing Fast
The financial stakes of DNS compromise keep rising. DNS attack costs in the United States surged 49% year over year, averaging around $1.27 million per incident, with nearly half of victims losing more than $500,000 and one in ten losing over $5 million. Detection speed is a major part of the problem: most US organizations took over a day to even detect that an attack was underway.
What to do: Treat DNS monitoring as a detection speed problem, not just a prevention problem. Real time DNS query logging and alerting will shrink your time to detection far more than another layer of blocklists will.
Putting It All Together
The throughline across all of these trends is the same: DNS is no longer a "set it and forget it" layer of infrastructure. It's an active, contested battleground where new domains spin up faster than manual review can keep pace, amplification attacks are resurging, exfiltration hides in plain sight inside ordinary looking queries, and even the most well resourced organizations still have basic gaps in their configuration.
A practical monitoring checklist for security teams heading into the rest of 2026 should include domain age and reputation scoring, response rate limiting on authoritative infrastructure, tunneling and exfiltration detection tuned to entropy and query volume, enforced source address validation to avoid contributing to amplification attacks, DNSSEC and CAA record deployment, and true infrastructure redundancy across providers rather than within a single cloud.
None of these controls are exotic or new. What's changed is the volume, speed, and automation behind the attacks hitting them, which means the cost of neglecting DNS hygiene keeps going up every year.