Threat Actors’ Hottest New Target: Access to DNS Servers

Idan Aharoni

April 13, 2025

Threat actors are always on the lookout for ways to monetize access to systems. While endpoints and cloud environments have long been favored targets, a new target is starting to trend in the dark web – access to DNS servers. A scroll through various dark web forums reveals multiple offers by threat actors selling access to DNS servers.

Obtaining access to a DNS server provides a lot of options to a threat actor. One such option is conducting a pharming attack, an attack where a threat actor redirects traffic from a legitimate site to their own server, which can host malicious content such as a phishing page. Unlike regular phishing attacks where a victim clicks on a malicious link, in pharming the user gets redirected to the phishing page even if they type the URL or domain of the legitimate site in their browser. There are several ways to trigger such a redirection, altering DNS records is one of them. After all, the primary function of a DNS is to route users to the relevant server based on a provided domain name. A DNS server contains multiple records associated with a domain. The most commonly used DNS record is an A record, which contains the IP address of the domain’s website. A threat actor can change the A record to have the domain point to their server rather than the legitimate one, in which a phishing attack can be set up in advance. A threat actor can also set up an exploit pack on their website, which will attempt to infect all redirected traffic with malware, only to then redirect the users to the legitimate server leaving them none the wiser. Such a scheme is more nefarious than phishing, however is also more technically complex.

With DNS access, threat actors can also take over the domain in other ways. SPF, DKIM, and DMARC, all security measures designed to prevent threat actors from sending emails supposedly from a legitimate domain, are all managed through DNS records. When a mail server receives an email supposedly from a domain, for example intelfinder.io, it will check the domain’s DNS record for SPF to determine if the email was sent from an approved mail relay server. If the email was not sent from an approved server (i.e., it was sent from one that is run by a threat actor) the message will be automatically blocked. DKIM and DMARC serve other important functions in preventing such email abuse, however we will not get into their role in this article. If a threat actor has access to the DNS, they may change these records to allow their mail servers to send emails supposedly coming from the legitimate company. As mail servers treat messages that pass SPF, DKIM and DMARC checks as more reliable, the threat actor can turn these security measures from a hurdle to overcome into an advantage.

Threat actors can take it even a step further, as DNS records are also used by SaaS services to validate that a certain domain is owned by the user. These services can include certificate authorities, DDoS protection and CDNs, marketing platforms, and more. For example, a mail delivery service may require users to add certain DNS records to their domain to prove that they are the legitimate owners, allowing them to register to their services. By having the ability to register to these services and connect them to the hijacked domain, additional schemes can open up to them and enable them to cause even more damage.

The above methods are only some of the ways in which threat actors can abuse domains with DNS access. Therefore, it is no surprise that threat actors are turning their attention to such accounts.

In most cases, DNS servers are controlled by a service provider such as the domain’s registrar. While organizations may have a secure password and even two-factor authentication set up, if the service provider is breached in a supply-chain attack, the attackers may still gain access to the DNS and change domains’ DNS records. This is not a theoretical threat, but has already happened to organizations such as escrow.com (at no fault of their own). With access to DNS servers now becoming a cybercriminal trend, the frequency of such incidents will most likely increase. So how can organizations protect themselves from such attacks? By externally monitoring the domain for any changes. IntelFinder monitors your domains for any changes in A records. If your domain starts pointing to a new IP address that was not whitelisted by you, we will let you know, providing you with important insights that something may be going on. Book a demo.

IntelFinder is the most cost effective threat intelligence solution on the market, offering customer-specific and actionable therat intelligence at a fraction of the cost. We cover a wide variety of threats, such as similar domain registration, rogue apps, leaked employee credentials, leaked source code, leaked documents, exposed subdomains and more – all for only $250/month per brand.

IntelFinder is offered with a two weeks free trial – no strings attached and no credit card information required!

Idan Aharoni

TRY INTELFINDER NOW

Let's Be In Touch

Do you prefer talking with us before trying out the service? no problems!