Infoblox unveils 2025 DNS Threat Landscape Report

Author: Joe Peck

Infoblox, a provider of cloud networking and security services, today released its 2025 DNS Threat Landscape Report, revealing a dramatic surge in DNS-based cyberthreats and the growing sophistication of adversaries leveraging AI-enabled deepfakes, malicious adtech, and evasive domain tactics.

Based on pre-attack telemetry and real-time analysis of DNS queries from thousands of customer environments – with over 70 billion DNS queries per day – the report offers a view into how threat actors exploit DNS to deceive users, evade detection, and hijack trust.

“This year’s findings highlight the many ways in which threat actors are taking advantage of DNS to operate their campaigns, both in terms of registering large volumes of domain names and also leveraging DNS misconfigurations to hijack existing domains and impersonate major brands,” says Renée Burton, Head of Infoblox Threat Intel.

“The report exposes the widespread use of traffic distribution systems (TDS) to help disguise these crimes, among other trends security teams must look out for to stay ahead of attackers.”

Research background

Since its inception, Infoblox Threat Intel has identified a total of over 660 unique threat actors and more than 204,000 suspicious domain clusters, meaning a group of domains believed to be registered by the same actor.

Over the past 12 months, Infoblox researchers have published research covering 10 new actors. They have uncovered the breadth and depth of malicious adtech, which disguises threats from users through TDS.

The report brings together findings from the past 12 months to illuminate attack trends. Particularly, the report sheds light on adtech’s role in these attacks.

Top findings

• 100.8 million newly observed domains in the past year, with 25.1% classified as malicious or suspicious
• 95% of threat-related domains observed in only one customer environment
• 82% of customer environments queried domains associated with malicious adtech, which rotate a massive number of domains to evade security tools and serve malicious content
• Nearly 500k traffic distribution system (TDS) domains were seen in the last 12 months within Infoblox networks
• Daily detection of DNS Tunneling, exfiltration, and command and control, including Cobalt Strike, Sliver, and custom tools, which require ML algorithms to detect

Uptick in newly observed domains

Over the year, threat actors continuously registered, activated, and deployed new domains, often in very large sets through automated registration processes. By increasing their number of domains, threat actors can bypass traditional forensic-based defences, which are built on a “patient zero” approach to security.

This reactive approach relies on detecting and analysing threats after they have already been used somewhere else in the world. As attackers leverage increasing levels of new infrastructure, this approach becomes ineffective, leaving organisations vulnerable.

Actors are using these domains for an array of malicious purposes, from creating phishing pages and deploying malware through drive-by downloads to engaging in fraudulent activities and scams, such as fake cryptocurrency investment sites.

The need for preemptive security

These findings underscore a pressing need for organisations to be proactive in the face of AI-equipped attackers.

Investing in preemptive security can be the deciding factor in successfully thwarting threat actors.

Proactive protection, paired with consistent radar on emerging threats, tips the scales in favour of security teams — allowing them to pull ahead of attackers and interrupt their unlimited supply of domains.