The Domain Name System is one of the most critical — and most vulnerable — components of your business's internet infrastructure. Every email you send, every website your staff visit, every cloud application they use, and every API call your systems make begins with a DNS query. If an attacker can manipulate or exploit your DNS, they can redirect your traffic, intercept your communications, steal your data, and bring your business to a standstill.
Yet DNS security remains an afterthought for the majority of UK businesses. The typical SME relies on whatever DNS servers their internet service provider assigns by default, with no filtering, no monitoring, no DNSSEC validation, and no visibility into what their DNS traffic reveals about their network. This is the equivalent of leaving the front door of your office open and unmonitored — and it is a risk that no UK business should accept.
This guide covers the DNS threats facing UK businesses, the security measures available to counter them, and practical implementation guidance for platforms like Cisco Meraki and Cisco Umbrella that are commonly deployed across UK SME networks.
Understanding DNS Attacks
DNS was designed in the 1980s with functionality, not security, in mind. The protocol transmits queries and responses in plain text, has no built-in authentication mechanism, and trusts responses from any server that replies. These fundamental design limitations create multiple attack vectors that modern adversaries routinely exploit.
DNS Spoofing (Cache Poisoning) is an attack where a malicious actor injects fraudulent DNS records into a resolver's cache. When a user queries for your company's domain, instead of receiving the legitimate IP address, they receive the attacker's IP address — and are redirected to a phishing site, malware distribution point, or man-in-the-middle proxy without any visible indication that something is wrong. The NCSC has identified DNS spoofing as a significant threat to UK organisations, particularly for high-value targets in the financial and professional services sectors.
DNS Tunnelling is a technique where attackers encode data within DNS queries and responses to exfiltrate information from a compromised network. Because DNS traffic is almost universally allowed through firewalls (blocking DNS would prevent all internet access), it provides a covert channel for stealing data. A compromised device on your network can slowly leak sensitive documents, credentials, or database records through DNS queries that appear innocuous to standard network monitoring tools.
DNS DDoS Attacks overwhelm your DNS infrastructure with a flood of queries, preventing legitimate users from resolving your domain names. If your customers cannot resolve your website's domain name, your website is effectively offline — even if the web server itself is perfectly healthy. DNS amplification attacks are particularly devastating, where attackers exploit open DNS resolvers to multiply the volume of traffic directed at your infrastructure.
DNSSEC: Authenticating DNS Responses
DNSSEC (Domain Name System Security Extensions) adds a layer of authentication to DNS by digitally signing DNS records. When DNSSEC is enabled, every DNS response includes a cryptographic signature that the resolver can verify against the domain's published public key. If an attacker attempts to inject a fraudulent response (as in a cache poisoning attack), the signature will not validate, and the resolver will reject the response.
DNSSEC does not encrypt DNS traffic — queries and responses are still transmitted in plain text. What it does is provide origin authentication (proving the response came from the authoritative server for that domain) and data integrity (proving the response has not been modified in transit). This effectively eliminates DNS spoofing and cache poisoning attacks.
To implement DNSSEC for your UK business, you need to take action in two areas. First, sign your own domains by enabling DNSSEC with your DNS hosting provider. Most major DNS providers (Cloudflare, AWS Route 53, Azure DNS, Dyn) support DNSSEC signing. Your domain registrar also needs to support DNSSEC so that the DS (Delegation Signer) records can be published in the parent zone. Second, enable DNSSEC validation on your resolvers so that your staff benefit from DNSSEC protection when browsing the web. If you use Cisco Umbrella or Cloudflare's 1.1.1.1, DNSSEC validation is enabled by default.
Despite its importance, DNSSEC adoption in the UK remains disappointingly low. Nominet, the .uk domain registry, has supported DNSSEC signing for .uk domains since 2012, but only approximately 5% of .uk domains have DNSSEC enabled. By contrast, countries like Sweden and the Netherlands have DNSSEC adoption rates above 50%. The UK Government's own guidance, published through the NCSC, recommends DNSSEC for all organisations, and many government .gov.uk domains are now signed. For UK businesses, enabling DNSSEC is a straightforward step that provides meaningful protection against a significant threat vector. If your DNS provider supports it (and most modern providers do), there is little reason not to enable it.
DNS Filtering: Blocking Threats at the Source
DNS filtering is one of the most powerful and cost-effective security measures available to UK businesses. By routing your DNS queries through a security-aware DNS service, you can block access to known malicious domains, phishing sites, malware distribution points, and command-and-control infrastructure before any connection is established.
The concept is simple: when a user or device on your network attempts to visit a malicious website, the DNS filter intercepts the query, checks the domain against a continuously updated threat intelligence database, and returns a block page instead of the malicious IP address. The connection to the malicious site is never established, which means the malware is never downloaded, the phishing page is never displayed, and the data exfiltration channel is never opened.
DNS filtering also provides content filtering capabilities, allowing you to block categories of websites that are inappropriate for the workplace (adult content, gambling, social media during work hours) or that pose legal risks (piracy sites, proxy/anonymiser services). For UK businesses, this helps meet both security objectives and duty-of-care obligations under the Equality Act 2010 and the Health and Safety at Work Act 1974.
ISP Default DNS
Secure DNS Provider
Implementing DNS Security with Cisco Meraki and Umbrella
For UK businesses using Cisco Meraki networking equipment, integrating Cisco Umbrella for DNS security is straightforward and provides one of the most effective security layers available.
Cisco Umbrella (formerly OpenDNS) is a cloud-delivered DNS security platform that processes over 620 billion DNS requests per day, giving it unmatched visibility into global internet activity. Its threat intelligence is derived from this massive query volume, combined with machine learning models that identify malicious domains before they are used in attacks — often before traditional security tools have added them to their blocklists.
The integration with Meraki is particularly elegant. In the Meraki dashboard, navigate to Security & SD-WAN > Threat Protection and enable the Umbrella integration. This automatically routes all DNS queries from your Meraki-managed network through Umbrella's resolvers, applying your security and content filtering policies to every device on the network without requiring any client software or endpoint configuration.
For organisations that need per-device policies or protection for devices outside the office (laptops used at home or while travelling), Umbrella's roaming client can be deployed through Microsoft Intune or your endpoint management platform. This ensures that staff are protected by DNS security regardless of where they are working — a critical capability for the hybrid working model that most UK businesses now operate.
Monitoring DNS Queries: Visibility You Cannot Afford to Ignore
One of the most valuable capabilities of a secure DNS platform is the visibility it provides into your network's DNS activity. Every DNS query tells a story, and patterns in DNS traffic can reveal compromised devices, policy violations, shadow IT, and emerging threats long before they cause visible damage.
With DNS query logging enabled (through Umbrella, Cloudflare Gateway, or similar platforms), you gain the ability to identify devices making queries to known malicious domains (indicating active malware infection), detect unusually high query volumes from individual devices (a potential indicator of DNS tunnelling), discover unapproved cloud services being used by staff (shadow IT), monitor for data exfiltration attempts through encoded DNS queries, and track which content categories your staff are accessing most frequently.
For GDPR compliance, DNS logs should be treated as personal data (they can reveal individuals' browsing activity) and handled accordingly. Implement appropriate retention periods, access controls, and data protection impact assessments for your DNS logging. Most UK businesses retain DNS logs for 30 to 90 days, balancing security monitoring needs with data minimisation principles.
| DNS Security Measure | What It Protects Against | Implementation Complexity | Approximate Annual Cost (50 users) |
|---|---|---|---|
| DNSSEC (domain signing) | DNS spoofing, cache poisoning | Low — enable with DNS provider | Free (included with most DNS hosting) |
| DNS filtering (Cisco Umbrella) | Malware, phishing, C2 communication | Low — Meraki integration or agent | £1,200 – £3,500 depending on tier |
| DNS filtering (Cloudflare Gateway) | Malware, phishing, content control | Low — change DNS resolvers or agent | £840 – £2,100 (Zero Trust plan) |
| DNS query logging | Provides visibility for incident response | Low — included with filtering platforms | Included with filtering subscription |
| DNS over HTTPS (DoH) | Eavesdropping on DNS queries | Medium — browser/OS configuration | Free (built into modern browsers) |
| Response Policy Zones (RPZ) | Custom domain blocking, internal threat feeds | Medium to high — requires DNS expertise | Free (if running own resolvers) |
DNS over HTTPS and DNS over TLS
Traditional DNS queries are sent in plain text, meaning anyone who can observe your network traffic (your ISP, a man-in-the-middle attacker, or a compromised device on your network) can see every domain your users visit. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries, preventing this eavesdropping.
DoH wraps DNS queries in HTTPS encryption on port 443, making them indistinguishable from regular web traffic. DoT uses a dedicated encrypted connection on port 853. Both achieve the same goal — preventing DNS query eavesdropping — but DoH is more widely deployed because it works through all firewalls (since HTTPS traffic is universally permitted).
For UK businesses, encrypted DNS is a double-edged sword. It protects your users' privacy from external observers, but it can also bypass your DNS filtering controls if users configure their browsers to use a public DoH resolver (like Google's 8.8.8.8 or Cloudflare's 1.1.1.1) instead of your corporate DNS. To maintain security visibility whilst enabling encrypted DNS, use a DNS filtering platform that supports DoH/DoT natively (both Umbrella and Cloudflare Gateway do), and configure your endpoints to use your corporate DoH endpoint rather than a public one.
The National Cyber Security Centre has published guidance acknowledging the privacy benefits of encrypted DNS whilst highlighting the operational security challenges it creates. The NCSC recommends that organisations deploy their own encrypted DNS resolver (or use a managed security-aware resolver like Umbrella) rather than allowing devices to use arbitrary public resolvers. This ensures DNS queries are encrypted in transit (protecting privacy) whilst still being subject to security filtering and monitoring (protecting the organisation). For UK businesses deploying Meraki and Umbrella, this is the default configuration — DNS queries are filtered through Umbrella and can be encrypted using Umbrella's DoH endpoint.
Securing Your Domain Registration
DNS security is not just about how queries are resolved — it also encompasses the security of your domain registration itself. Domain hijacking, where an attacker gains control of your domain by compromising your registrar account, is one of the most devastating attacks a business can suffer. If an attacker controls your domain, they control your website, your email, and your entire online identity.
Protect your domain registrar account with multi-factor authentication. Use a strong, unique password that is not used for any other account. Enable registrar lock (also called domain lock or transfer lock) to prevent unauthorised domain transfers. For high-value domains, consider registry lock (a more robust protection available through some registrars and registries), which requires manual verification through an out-of-band channel before any changes can be made to the domain.
Nominet, the .uk registry, offers several security features for UK domains including domain locking and DNSSEC signing. Take advantage of these features — your .co.uk and .uk domains are critical business assets and deserve the same level of protection as your other infrastructure.
Building Your DNS Security Strategy
A comprehensive DNS security strategy for a UK business should address prevention, detection, and response across all aspects of DNS infrastructure.
Prevention: Enable DNSSEC on all domains you own. Implement DNS filtering through a platform like Cisco Umbrella or Cloudflare Gateway. Lock your domain registrar accounts with MFA and transfer locks. Configure encrypted DNS (DoH/DoT) to your corporate resolver. Block DNS queries to unauthorised resolvers at the firewall level.
Detection: Enable DNS query logging and review it regularly. Set alerts for queries to newly registered domains (less than 30 days old, a strong indicator of malicious activity). Monitor for unusually high DNS query volumes from individual devices. Watch for DNS queries containing unusually long or encoded subdomain strings (indicators of DNS tunnelling).
Response: Define procedures for responding to DNS-related incidents, including domain hijacking (contact registrar immediately, engage NCSC if necessary), DNS-based data exfiltration (isolate affected devices, preserve DNS logs for forensic analysis), and DNS DDoS (engage your DNS provider's DDoS mitigation services, consider a secondary DNS provider for redundancy).
Ready to Secure Your DNS Infrastructure?
Cloudswitched helps UK businesses implement comprehensive DNS security solutions, from Cisco Umbrella deployment and Meraki integration to DNSSEC enablement, DNS monitoring, and incident response planning. Whether you are starting from scratch or looking to strengthen an existing setup, our team provides the expertise to protect your business at the DNS layer. Contact us to discuss your DNS security requirements.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.