DNS Is Your Most Critical — and Most Misconfigured — Security Control

• Driven by a recent 300% surge in AI bot traffic, automated scanners are systematically exploiting DNS misconfigurations — such as dangling CNAMEs and lapsed delegations — at machine speed.

• The updated NIST guidelines formally elevate DNS from a mere operational utility to a foundational layer of network security within Zero Trust architectures, mandating measures like protective DNS, encryption, and continuous monitoring.

• As organizations transition to an agentic web powered by autonomous AI workloads, DNS resilience becomes critical; minor configuration errors or zone drifts can silently disrupt automated inference calls and workflows.

• This blog post identifies six key DNS misconfigurations targeted by attackers.

• Akamai DNS Posture Management addresses these vulnerabilities by offering a unified control plane across all internal, external, cloud, and on-premises DNS providers.

The updated DNS deployment guide from the U.S. National Institute of Standards and Technology (NIST) confirms what attackers already know: Your DNS is a gold mine of exploitable misconfigurations. This blog post covers what’s at stake — and how Akamai DNS Posture Management closes the gaps in security.

AI bot traffic surged by 300% in 2025 — and these bots are actively using DNS to probe for the very misconfigurations this blog post will address. Automated scanners systematically enumerate dangling CNAMEs, harvest exposed resource records for reconnaissance, and race to claim lapsed delegations — at machine speed — before your team notices them.

In March 2026, NIST published SP 800-81r3, its definitive guide to securing DNS — and its opening sets the tone: "An attack against the DNS infrastructure of an enterprise threatens every network operation in that enterprise."

DNS underpins every connection your organization makes. It is the first step in almost every network transaction. DNS is at work before a browser loads a page, before an API call succeeds, before a mail server delivers a message. That centrality is precisely what makes it so dangerous when left unmanaged.

Yet despite this, DNS hygiene is routinely deprioritized. Records accumulate. Delegations go stale. Providers multiply. Internal and external zones drift out of sync. Encrypted DNS sits unconfigured. And no single team has unified visibility across all of it.

This is the problem that Akamai DNS Posture Management is built to solve.

The original purpose of DNS was purely functional: translate human-readable names into IP addresses. NIST SP 800-81r3 marks a formal acknowledgment that this role has permanently expanded. DNS is now described not merely as a service, but as “a foundational layer of network security” within Zero Trust and defense-in-depth architectures.

Because DNS precedes every network communication stream, it occupies a uniquely powerful position. A DNS resolver that knows what to block, log, and flag to stop threats before the first malicious packet is ever transmitted. Organizations that treat DNS as a passive utility are leaving one of their most effective security levers completely unpulled.

NIST is explicit: Deploy protective DNS, encrypt DNS traffic, sign zones with DNSSEC, dedicate infrastructure to DNS services, and continuously monitor for misconfigurations. The organizations that follow these recommendations gain a security control that operates at network scale — protecting every device, every cloud workload, and every Internet of Things (IoT) endpoint simultaneously.

As we move toward an agentic web in which machines perform autonomous actions, DNS reliability becomes even more critical. An AI agent making 5 to 10 inference calls per task cannot afford the latency of zone drift or the security risk of a hijacked subdomain. Every tool call, every model endpoint, every retrieval step resolves through DNS first — which means a misconfigured delegation doesn't just inconvenience a user, it silently breaks an entire automated workflow.

The same 300% surge in AI bot traffic that creates new attack surfaces also raises the stakes for the infrastructure those agents depend on. DNS Posture Management ensures that the infrastructure powering your AI remains resilient, authenticated, and continuously validated — so autonomous workloads can operate at the speed and scale they were designed for.

NIST SP 800-81r3 catalogs the full threat surface across authoritative services, recursive resolvers, and stub resolvers. These threats are not theoretical — they represent active exploitation paths that organizations face today, and the same paths that AI bots systematically probe at scale. These six DNS misconfigurations (and their threat levels) are:

1. CRITICAL: Dangling CNAME and subdomain takeover 

2. CRITICAL: Lame delegation exploitation and domain hijacking 

3. HIGH: Look-alike domain exploitation, aka typosquatting 

4. HIGH: Zone drift, zone thrash, and data inconsistency

5. HIGH: Information leakage via exposed resource records 

6. HIGH: Missing DNSSEC and unencrypted DNS traffic 

When a CNAME record points to a parent domain that is no longer registered by your organization, a threat actor can register that zone and redirect DNS resolution to infrastructure they control — inheriting the full trust and reputation of your legitimate domain. Automated bots scan for these unregistered domains at scale, racing to claim newly lapsed delegations before defenders notice.

A lame delegation occurs when a subdomain is delegated to a DNS hosting provider, but the contract for those services lapses without the delegation being removed. Attackers can contract with the same provider to host that subdomain — immediately gaining control over resolution requests and the ability to redirect traffic to their own infrastructure.

Threat actors register look-alike or typosquatted domains to impersonate target organizations — including subtle character substitutions, homoglyphic characters from international scripts, and variations that users easily mistake for a legitimate domain. NIST also flags the risk of attackers that are registering retired delegations to impersonate organizations to users who still have old links or bookmarks.

When the Refresh and Retry values in a Start of Authority (SOA) record are misconfigured relative to the rate of zone changes, primary and secondary name servers fall out of sync. When set too high: zone drift — stale, incorrect DNS data; when set too low: zone thrash — excessive transfers that degrade service. These errors are rarely visible until they cause an outage or an AI agent's inference call silently fails.

Records such as HINFO, RP, LOC, and misconfigured TXT entries can hand attackers — and the bots they deploy — a detailed map of your internal infrastructure, including operating systems and services known to have active exploits. NIST recommends excluding these record types from internet-facing zones entirely.

DNSSEC provides cryptographic integrity for DNS data, protecting against cache poisoning, response spoofing, and machine in the middle (MITM) attacks. Encrypted DNS protocols (DoT, DoH, DoQ) protect the privacy and integrity of the query/response transaction. The U.S. government mandates encrypted DNS for Federal Civilian Executive Branch agencies. NIST specifically warns that improper DNSSEC management — particularly during key rollovers — is itself a source of DNS service failures.

The six threats share a common root cause: DNS configuration changes that no single team is continuously watching. As enterprises expand across multiple authoritative DNS providers, hybrid cloud environments, and dozens of software as a service (SaaS) integrations — and as AI agents multiply the number of DNS-dependent workloads — the attack surface grows far faster than manual processes can track or secure.

Akamai DNS Posture Management addresses this with a unified control plane across all your DNS types — external and internal, cloud-hosted and on-premises — across every provider. It operationalizes the NIST guidance automatically, turning what would otherwise require multi-team manual audits into continuous, automated detection and guided remediation.

• Dangling CNAMEs and lame delegations are identified by continuously resolving every CNAME and NS delegation across your estate, flagging any that point to infrastructure that is no longer under your control before an attacker — or automated scanner — can claim it.

• Look-alike and typosquatted domains are surfaced through active monitoring of domain variations, including character substitutions, homoglyphs, and TLD swaps, with HTTP probing to identify which are live and potentially weaponized.

• Zone drift and thrash are caught by auditing SOA parameters across all authoritative providers on every scan cycle, validating primary-to-secondary consistency before they can cause a resolution failure or break an agentic workflow.

• Exposed resource records (HINFO, RP, LOC, and overly verbose TXT entries) are inventoried across every provider and flagged with the specific information they expose, so your team can make a fast removal decision.

• DNSSEC gaps — including unsigned zones, deprecated algorithms such as RSA/SHA-1, approaching RRSIG expiry, and misconfigured key rollovers — are validated against current NIST recommendations on an ongoing basis.

Each detected issue surfaces with exact record context, provider details, and step-by-step remediation guidance. No guesswork, no manual correlation across provider dashboards. Native integrations with Splunk, Sumo Logic, Datadog, AWS Security Hub, PagerDuty, and ServiceNow ensure every detected misconfiguration flows directly into the platforms where your security operations team already works.

NIST SP 800-81r3 formalizes what security teams that have been paying attention already suspected: DNS is no longer just a utility. It is a security control layer — and like any control, its effectiveness depends entirely on whether it is properly configured and continuously maintained.

The misconfigurations described in the updated NIST guide are not uncommon. They are the product of normal organizational change: a cloud service is decommissioned, a domain contract lapses, a provider is swapped, a team leaves a zone unsigned. In an era of autonomous AI agents and machine-speed reconnaissance, these changes accumulate into an attack surface that adversaries — human and automated alike — actively probe around the clock.

Akamai DNS Posture Management closes this gap in security. It brings the full scope of your DNS infrastructure — across every provider, every zone, every record type — under continuous posture monitoring, aligned to NIST guidance, and surfaced in a single operational view.

To see DNS Posture Management in action contact your Akamai representative to arrange a demo.