← All posts

Infrastructure · May 18, 2026 · intSignal Network Team

DNS Architecture and Security: The Layer Everything Depends On

Why DNS is the layer everything depends on

Almost every action a user or application takes begins with a DNS lookup. Open a web app, send email, join a VPN, reach a SaaS API, pull a container image — each one first resolves a name to an address. That makes DNS the quiet control plane underneath the whole environment, and it is why a DNS outage or compromise never stays contained. When resolution fails, servers that are perfectly healthy become unreachable; when resolution is tampered with, traffic that looks legitimate is silently steered somewhere else.

The uncomfortable part is how little attention DNS usually gets relative to its blast radius. Teams will spend months hardening a web tier and leave resolution running on a single provider, with no filtering, no signing, and no logging. A few architectural decisions — where names are answered, how many independent places can answer them, what gets blocked, and what gets watched — determine whether DNS is your strongest early-warning system or your softest single point of failure.

Resolver architecture: split-horizon and a central control point

The first design decision is where a given name gets answered, and the honest answer is usually "in two different places depending on who is asking." That is split-horizon (or split-brain) DNS: the same zone returns internal addresses to internal clients and public addresses to the outside world.

  • External / public DNS publishes only what the internet needs to reach — your web, mail, and public API records — and nothing else. It is authoritative, internet-facing, and deliberately minimal.
  • Internal DNS resolves private hostnames, domain controllers, internal services, and RFC 1918 addresses that should never appear in a public zone.
  • Split-horizon lets one name, like the corporate portal, resolve to a private address inside and a public address outside, so internal users take the short path and never traverse the internet to reach their own systems.

Getting this wrong leaks the internal map of your network. A public zone that lists internal hostnames, domain controllers, or private IP ranges hands an attacker a reconnaissance gift before they have sent a single packet at you. Keeping internal and external namespaces genuinely separate is a core piece of network security: the outside world should only ever see what it strictly needs to.

The second decision is how clients reach resolvers at all. In a well-run environment, endpoints do not each talk to the wider internet directly — they forward every query to a small set of central recursive resolvers you control. That hub-and-spoke shape is what turns DNS into a single, enforceable chokepoint for both policy and visibility.

Endpoints and branch sites forwarding all DNS queries to a central set of controlled recursive resolvers Figure: funneling every client through central resolvers turns DNS into one enforceable chokepoint for both filtering and logging.

Redundancy and anycast: staying resolvable on the worst day

Because everything depends on resolution, the goal is that a name can always be answered even when a provider, a data center, or a region goes dark. Two design patterns do most of the work.

  1. Multiple, independent authoritative providers. Run your public zones across at least two DNS providers on separate infrastructure and separate networks. A well-known 2016 attack on a single major DNS provider took large swaths of the internet offline precisely because so many domains depended on one operator. Two providers means one can fail entirely and your names still resolve.
  2. Anycast. Anycast advertises the same resolver IP address from many physical locations at once, and the network routes each query to the nearest healthy node. It delivers three things simultaneously: lower latency because users hit a close node, resilience because a failed location simply drops out of routing, and absorption capacity that blunts volumetric attacks by spreading the flood across many sites. This is the same globally distributed approach we use when we build global networks for clients who cannot tolerate a regional problem becoming a total outage.

Two supporting details matter. Keep TTLs low enough to fail over in a reasonable window but not so low that you needlessly hammer resolvers — a few minutes to an hour suits most records, with longer values for things that rarely change. And treat internal resolvers with the same redundancy discipline: at least two, on separate hosts and separate power, so a single server reboot does not make the whole office unable to find anything.

Protective DNS: the cheapest security control you are not using

Once every client funnels through central resolvers, you have a place to enforce policy on essentially all outbound intent. Protective DNS (PDNS) inspects each query against threat intelligence and blocks resolution of known-malicious or high-risk domains before a connection is ever made.

It is unusually cost-effective for what it stops:

  • Phishing and credential theft — the malicious link resolves to nothing.
  • Malware and command-and-control — implants that phone home by domain are cut off at the first lookup, often before any payload lands.
  • Newly registered and typosquatted domains — a large share of attacks use domains registered in the last few days, which PDNS feeds flag on sight.
  • Category and policy enforcement — block known bad neighborhoods without managing a proxy for every protocol.

The reason PDNS punches above its weight is that it acts at the moment of intent rather than the moment of impact. It is not a replacement for endpoint protection or managed detection and response, but as a broad, low-cost first filter that covers every device pointed at your resolvers, few controls return more per dollar.

DNSSEC and the attacks it does — and does not — stop

DNS was designed in an era of implicit trust, so a resolver has no built-in way to know whether an answer is authentic. DNSSEC closes part of that gap by signing records cryptographically, so a validating resolver can detect answers that were forged or altered in transit. Understanding the common attacks clarifies what DNSSEC buys you.

  • Cache poisoning injects forged answers into a resolver's cache so that future users of that resolver are sent to an attacker's address. DNSSEC validation defeats this directly, because the forged record fails the signature check.
  • DNS hijacking redirects resolution by compromising the registrar account, changing nameserver delegation, or altering records at the authoritative source. DNSSEC helps against on-path tampering, but registrar and account takeover is an access problem — protect it with strong multi-factor authentication, registrar locks, and tight control over who can change zones.
  • DNS tunneling abuses DNS as a covert channel, smuggling data or command-and-control traffic inside otherwise ordinary-looking queries and responses. DNSSEC does nothing here — tunneling hides in valid DNS — which is exactly why logging and analysis matter.

DNSSEC is worth deploying for the poisoning and integrity guarantees, but it is a narrow tool. It proves an answer is authentic; it says nothing about whether the answer is malicious, and it does not encrypt anything. Treat it as one layer, not a solution.

DNS as a detection signal

Because malware, exfiltration, and command-and-control almost all touch DNS, your query logs are one of the richest and most underused detection sources in the environment. Centralized resolvers make this practical: collect the logs and look for the patterns attackers cannot easily avoid.

  • Anomalous query volume or timing — a workstation making thousands of lookups an hour, or beaconing at a steady interval, is rarely a human.
  • High-entropy or very long subdomains — the signature of tunneling and many automated toolkits.
  • Queries to newly registered or low-reputation domains — strongly correlated with early-stage intrusions.
  • Requests for known bad domains that PDNS already blocked — a blocked query is not a non-event; it is a device announcing it is trying to reach something it should not.

Feeding resolver logs into your monitoring and analytics pipeline turns DNS into an early tripwire that often fires before other tooling notices anything. Correlating those signals is core work for a security operations center, and pairing them with broad infrastructure monitoring means you see both the availability problems and the security problems that show up in DNS first.

Treat DNS as core infrastructure, not plumbing

DNS earns its keep only when it is designed on purpose: split-horizon so you never leak the internal map, multiple independent providers and anycast so names always resolve, protective DNS as a cheap and broad first filter, DNSSEC where integrity matters, and full query logging so DNS becomes a detection signal instead of a blind spot. Handled well, the layer everything depends on becomes one of your most reliable and most informative. intSignal designs, hardens, and monitors DNS as the core infrastructure it is. Talk to our network team to review your resolution architecture and close the gaps before they close your business for you.