Every network engineer knows the refrain: “It’s always DNS.” When websites won’t load, applications fail to connect, or mysterious outages emerge, the Domain Name System—the internet’s essential address book—is usually involved. For years, this made DNS a source of troubleshooting frustration. But as Infoblox demonstrated in their presentations to Security Field Day, there’s a compelling flip side to this truth: if DNS touches everything, it can also protect everything.

The First Point of Contact for Nearly Every Attack

The NSA’s analysis reveals a striking statistic: 92% of cyber-attacks interact with DNS at some point. But the real insight goes deeper. DNS isn’t just involved in attacks—it’s typically the first step. Before a phishing link redirects a user, before an exploit communicates with a command-and-control server, before stolen data gets uploaded to a remote location, there’s a DNS query to a malicious domain.

This creates an opportunity. Block the bad DNS queries while allowing legitimate ones, and you can neutralize threats before they establish a foothold. Because every device already communicates with DNS servers, you gain a universal checkpoint without deploying agents everywhere. Some Infoblox customers report a 50% reduction in traffic hitting their firewalls—simply because threats never make it past DNS.

Tracking Cartels, Not Individual Criminals

Infoblox’s approach, developed by threat intelligence experts including former NSA and DoD personnel, diverges from traditional threat detection in a fundamental way. Rather than chasing individual malicious domains—a game of perpetual whack-a-mole—the company focuses on tracking what they call “cartels”: the criminal infrastructure providers behind attacks.

Dr. Renee Burton conceived this strategy, which currently tracks over 204,000 criminal infrastructure operations. Two examples illustrate the scale:

• Prolific Puma operates a URL shortening service used exclusively for phishing and fraud. The cartel continuously rotates through 75,000 domains to evade detection, serving millions of attackers who rely on their infrastructure.
• Vain Viper runs a malicious Traffic Distribution System connecting scam advertisers—from fake investment schemes to fraudulent products—with compromised websites. The operation generates billions of dollars by monetizing compromised web traffic.

By analyzing the registration patterns and infrastructure of these cartels, Infoblox generates proprietary threat intelligence. This approach yields two significant advantages: detecting malicious domains approximately 68 days before they appear in attacks and maintaining a false positive rate of 0.00002%.

Integration That Extends Your Existing Security Stack

Infoblox positions DNS security as a trigger point rather than a replacement for existing tools. When suspicious activity is detected, the platform can automatically:

• Send asset information to firewalls or Network Access Control devices to isolate compromised hosts.
• Trigger vulnerability scanners like Qualys or Rapid7.
• Share threat feeds (IPs, URLs, hashes) to XDR or firewall platforms.

The company offers five deployment options: endpoint agents, physical or virtual NIOS X servers, integration with existing NIOS products, NIOS X as a Service via IPsec tunnels, or external resolvers. Organizations can mix these across hybrid cloud and on-premises environments.

For cloud-native environments, Infoblox addresses a practical concern: customers using Route 53 or Google Cloud DNS already have high SLAs and may not want to change resolvers. Google Cloud DNS Armor exemplifies their solution—it’s a native GCP service powered by Infoblox’s threat detection engine, providing protection without requiring infrastructure changes.

The SOC Tool That Makes Sense of Millions of Queries

Raw DNS logs generate overwhelming volumes of data. Infoblox uses AI and machine learning to correlate millions of requests into specific “insights” that SOC teams can act on.

The built-in research tool, Dossier, aggregates information from over 20 sources—WHOIS data, passive DNS history, related domains—into a single view. During investigations, analysts can rapidly research threats without jumping between tools.

The platform’s dashboard regularly shows suspicious domains identified 5 to 7 weeks before customers first query them, demonstrating the value of the cartel-tracking approach in real-world operations.

Why This Matters Now

The threat landscape continues to evolve. Generative AI is beginning to produce self-evolving malware that evades signature-based detection. Attack volumes and sophistication are both accelerating, while security teams manage increasingly complex hybrid environments.

In this context, DNS security offers a rare advantage: it’s proactive rather than reactive, universal rather than selective, and operationally efficient rather than resource intensive. While other vendors offer DNS security, Infoblox’s focus on criminal infrastructure rather than individual threats, combined with their DNS, DHCP, and IP address management (DDI) legacy, creates meaningful operational benefits alongside security protection.

Organizations implementing Zero Trust architectures should note that DNS plays a critical role—the resolver cannot be implicitly trusted. For security teams facing alert fatigue and seeking to reduce noise while blocking threats at their source, transforming DNS from a troubleshooting headache into a security advantage represents a practical path forward.

After all, it’s always DNS. The question is whether you’re going to let that be a problem or turn it into protection.