| Key Takeaways |
|
|
|
|
Every time you type a website like www.example.com into your browser, a behind-the-scenes process begins. Your computer reaches out to a Domain Name System (DNS) server to find the numerical IP address that matches the name you entered. Without this system, users would need to memorize long strings of numbers just to access a website.
DNS servers were created to make the internet easier to navigate, not necessarily safer. Built during a time when security was not a primary concern, the system was designed for openness and speed. This has made DNS a common target in cyberattacks, including traffic redirection, data interception, and denial-of-service campaigns.
In this article, we’ll explain how DNS servers work, examine their role in protecting against cyber threats, and help you select options that balance performance with strong security.
What is a DNS Server?
A DNS server converts domain names into IP addresses (e.g., 192.0.2.1) that computers can understand. When you request a website, your computer sends a query to a DNS server, which then checks its database or forwards the request to another server until it finds the matching IP address. This process, known as DNS resolution, is both swift and efficient. We can divide it into the following steps:
- DNS Query Initiation: When you type a website’s address (e.g., www.example.com) into your browser, your computer creates a DNS query.
- Query to the Recursive DNS Server: The query is sent to a recursive DNS server, which first checks its cache for the corresponding IP address.
- If found: It returns the IP address to your computer.
- If not found, It proceeds to the next steps.
- Forwarding the Query: The recursive server forwards the query to a root server, which then directs it to the appropriate Top-Level Domain (TLD) server based on the domain extension (.com, .org, etc.).
- Authoritative DNS Server Resolution: The TLD server forwards the query to the authoritative DNS server that holds the domain’s definitive records. This server provides the accurate IP address for the requested domain.
- Returning the IP Address: The authoritative server sends the IP address back to your computer through the chain (TLD server → recursive server). Your computer uses this IP address to connect to the website.
Modern DNS servers incorporate multiple layers of security to prevent malicious attacks, including DNS spoofing and cache poisoning. For instance, secure implementations can validate responses to ensure the returned data is authentic. This is especially crucial when using public DNS servers or relying on a DNS server list for corporate networks.
How DNS Servers Map Domain Names to IP Addresses
DNS servers map domain names to IP addresses through resource records, which are structured entries that pair each name with the data needed to reach it. Each zone holds a set of these records, and the resolver returns the record that matches the type the client requested.
The most common record types do the actual mapping work:
| Record type | What it maps | Example |
| A | Domain name to IPv4 address | example.com to 93.184.216.34 |
| AAAA | Domain name to IPv6 address | example.com to 2606:2800:220:1::1 |
| CNAME | One domain name to another (alias) | www.example.com to example.com |
| MX | Mail servers for a domain | example.com to mail.example.com (priority 10) |
| NS | Authoritative name servers for a domain | example.com to ns1.example.com |
| PTR | IP address back to a domain name (reverse) | 93.184.216.34 to example.com |
| TXT | Arbitrary text data (SPF, DKIM, verification) | v=spf1 ip4:192.0.2.0/24 ~all |
When a recursive resolver gets an answer, it stores the record according to the Time-to-Live (TTL) value of the authoritative server set. TTL is the number of seconds for which the record can be cached before the resolver must ask again.
Resolution uses two query modes, and the difference matters for troubleshooting. The client sends a recursive query to its configured resolver, asking for a final answer. The resolver then sends iterative queries upstream to a root server, then a TLD server, then the authoritative server, collecting referrals at each step until it has the final record. Public DNS providers handle this iterative work on your behalf, which is one reason they exist.
Types of DNS Servers
In the Domain Name System (DNS), four primary types of servers collaborate to translate human-readable domain names into machine-readable IP addresses:
- Recursive DNS Servers (Resolvers): These servers receive user queries and either provide cached results or initiate a sequence of requests to other DNS servers to resolve the domain name.
- Root Name Servers: As the initial reference point, root servers direct queries to the appropriate top-level domain (TLD) servers based on domain extensions, such as .com or .org.
- Top-Level Domain (TLD) Name Servers: These servers manage information for domains within specific top-level domain (TLD) extensions, such as .com or .net, directing queries to the correct authoritative servers.
- Authoritative Name Servers: Holding definitive records for domain names, authoritative servers provide the final IP address associated with a requested domain, completing the resolution process.
Each server type plays a specific role in resolving domain names to IP addresses. However, DNS records, SSL certificates, and open ports are publicly accessible and can be leveraged by attackers to map your infrastructure. This visibility increases the risk of targeted attacks, data exposure, and service disruption if left unmonitored.
This is where Group-IB’s Attack Surface Management solution helps reduce your exposure. It creates a comprehensive, real-time map of your external-facing assets, identifies vulnerabilities in DNS configurations, and highlights exploitable entry points across your environment. This visibility allows you to prioritize remediation efforts and strengthen your perimeter before attackers gain access.
Browser-Level DNS Caching and How It Works
Browser-level DNS caching is a per-application cache that web browsers maintain independently of the operating system’s resolver. The browser stores resolved domain-to-IP mappings within its own process, which lets it skip a round trip to the OS resolver for every subresource on a page.
Chromium-based browsers, including Chrome, Edge, and Brave, enforce a minimum TTL of 60 seconds on cached entries. Even if the authoritative server returns a shorter TTL, the browser holds the record for at least a minute. The cache is also invalidated on network change events.
To inspect or clear the Chromium DNS cache, open chrome://net-internals/#dns in the address bar. The page lists every host the browser has resolved recently, along with TTL values and timestamps. The “Clear host cache” button removes all entries immediately, and the companion page at chrome://net-internals/#sockets lets you flush open socket pools. The tool is desktop-only. Mobile Chrome does not expose it.
Browser caching comes with direct security implications. If an entry in the browser cache points to a malicious or outdated IP, flushing the OS-level cache will not fix the problem because the browser never consulted it. Incident responders investigating a suspected DNS tampering issue need to flush both layers and check chrome://net-internals/#dns for unexpected resolutions.
Operating System DNS Caching Explained
Operating system DNS caching is a system-wide cache run by the OS resolver that stores DNS lookups for all applications on the device. Unlike browser-level caching, every program on the machine, from browsers to terminals to mail clients, pulls from the same OS cache.
Each operating system runs its own resolver service, and the commands to view or clear the cache differ across platforms. Windows uses the DNS Client Service, macOS uses mDNSResponder, and modern Linux distributions use systemd-resolved.
| Operating system | Resolver service | View cache | Flush cache |
| Windows 10/11 | DNS Client (Dnscache) | ipconfig /displaydns | ipconfig /flushdns or Clear-DnsClientCache |
| macOS 11+ | mDNSResponder | Console with filter any:mdnsresponder | sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder |
| Linux (systemd 239+) | systemd-resolved | resolvectl statistics | sudo resolvectl flush-caches |
| Linux (older) | systemd-resolved | systemd-resolve –statistics | sudo systemd-resolve –flush-caches |
A few details are worth knowing beyond the commands themselves. Windows caches negative responses (NXDOMAIN) as well as successful lookups, so flushing clears both. The default maximum TTL on Windows is 86,400 seconds (one day), configurable in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache\Parameters. On Linux, resolvectl statistics exposes cache hit rates and DNSSEC verdicts, which is a quick way to see whether your resolver is doing the validation work you expect.
If a flush command does not appear to take effect, restarting the resolver service forces a complete reset. On Windows, that is net stop dnscache followed by net start dnscache. On Linux with systemd-resolved, it is sudo systemctl restart systemd-resolved. The downside is a brief interruption in the resolution of any queries already in flight, so prefer the flush commands when possible.
How to Perform a DNS Lookup
Performing a DNS lookup means querying a DNS server directly from the command line to see how a domain name resolves. The standard tools are dig on Linux and macOS, nslookup on Windows, and Resolve-DnsName in PowerShell.
dig (Domain Information Groper) is the modern standard for DNS troubleshooting. It ships with BIND and comes preinstalled on most Linux distributions and macOS. The basic syntax is:
dig [@server] [name] [type]
A few useful variations:
- dig example.com returns the A record (IPv4 address).
- dig example.com MX returns mail server records.
- dig example.com NS returns the authoritative name servers, useful when checking the dns server list for a domain.
- dig example.com @1.1.1.1 queries a specific resolver instead of the system default.
- dig +short example.com strips the output to just the answer.
- dig +trace example.com shows each delegation step (root → TLD → authoritative) with per-step latency.
A typical dig response looks like this:
; <<>> DiG 9.10.6 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15587
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 272 IN A 172.66.147.243
example.com. 272 IN A 104.20.23.154
;; Query time: 311 msec
;; SERVER: 2405:201:5802:9156::c0a8:1d01#53(2405:201:5802:9156::c0a8:1d01)
;; WHEN: Wed Jun 10 18:14:42 IST 2026
;; MSG SIZE rcvd: 72
The number after the domain (272) is the TTL in seconds, which tells the resolver how long to cache this answer. IN is the class (Internet), A is the record type, and 172.66.147.243 is the resolved IP address (the second A record returns 104.20.23.154).
On Windows, nslookup is the built-in equivalent. By default, it returns the A record, but interactive mode handles other types:
> nslookup
> set type=MX
> example.com
PowerShell offers Resolve-DnsName, which produces structured output that is easier to script against than nslookup’s plain text. For new automation work, prefer dig on Linux and macOS or Resolve-DnsName on Windows. The dig tool is preferred for troubleshooting and automation. Although nslookup still works and ships on most systems, its interface is dated, and ISC actively recommends dig instead.
Benefits of Using the Best DNS Servers
Using the best DNS servers offers a wide range of advantages:
Improved Speed and Efficiency
The best DNS servers use techniques such as caching, global networks, and anycast routing to quickly translate domain names into IP addresses. This reduces delays and speeds up website loading, providing a smoother browsing experience.
Enhanced Security
DNS servers should incorporate multiple layers of security, including DNSSEC, DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT). These technologies help validate DNS responses, encrypt queries, and block malicious domains.
This way, it reduces the risk of cyber attacks such as cache poisoning and DNS spoofing. Advanced filtering techniques also provide an additional layer of defense against emerging threats.
Reliability
High-performance DNS servers are built on resilient architectures with load balancing, redundancy, and automatic failover. These features ensure continuous availability and consistent performance, even during periods of high demand or network disruptions, thus minimizing downtime and maintaining service integrity.
Better Control
Top DNS solutions offer extensive customization options, allowing administrators to tailor configurations to meet specific security policies and compliance requirements.
Features such as granular traffic monitoring, the ability to configure whitelists and blacklists, and integration with cybersecurity audit tools provide greater control over DNS settings and overall network management.
For businesses, the right DNS server setup is crucial for maintaining a secure and responsive online presence. It supports cloud security initiatives by preventing unauthorized access and can integrate seamlessly with enterprise-level cybersecurity audit tools.
Public DNS Servers vs. Private DNS Servers
One key decision when configuring your network is whether to use public or private DNS servers.
Public DNS Servers
Third-party providers offer public DNS servers, which are accessible to anyone on the Internet. Some popular examples include Google DNS and OpenDNS. These servers are often highly optimized for speed and offer additional security features such as malware filtering and phishing protection. However, public DNS might raise concerns about privacy and data control, especially for enterprise environments.
Private DNS Servers
On the other hand, private DNS servers are maintained within an organization. They provide greater control over network traffic and data security but require more resources and expertise to manage effectively. Companies prioritizing incident response and risk management may prefer private DNS servers to maintain tight control over their infrastructure.
Private DNS deployments often coexist with self-hosted business applications such as collaboration platforms and file-sharing services. When DNS records or trusted-domain settings drift out of sync with the underlying infrastructure, those services can be left exposed.
Public DNS Servers vs. Private DNS Servers at a Glance:
| Aspect | Public DNS Servers | Private DNS Servers |
| Access | Open to everyone | Restricted to specific users/networks |
| Examples | Google (8.8.8.8), Cloudflare (1.1.1.1) | Company or ISP-managed DNS |
| Privacy | Lower – data may be logged for analytics | Higher – more control over data handling |
| Security | Basic protection may include DNSSEC | Enhanced with internal controls and policies |
| Customization | Limited | Highly customizable for internal use |
| Speed | Can be fast, but varies based on location | Often faster within local or corporate networks |
| Use Case | General browsing, public internet access | Enterprise networks, internal services |
| Maintenance | Managed by a third party | Managed by in-house or contracted IT staff |
The decision largely depends on your specific needs for speed, security, and compliance.
Free vs Paid DNS Servers: What Is the Difference?
Free public DNS servers like Cloudflare 1.1.1.1, Google 8.8.8.8, and Quad9 9.9.9.9 cover the basics: speed, basic encryption, and minimal logging. Paid managed DNS services add policy control, detailed reporting, custom threat intelligence feeds, and integration with enterprise security tools. The choice is rarely about whether DNS resolves correctly. Both work. It comes down to what an organization needs around the resolution itself.
Free public resolvers are suitable for personal use, small home networks, and individual developer machines. They offer fast anycast routing, encrypted transport via DNS over HTTPS (DoH) and DNS over TLS (DoT), and limited logging policies that satisfy most privacy needs. Some, like Cloudflare 1.1.1.2 and Quad9’s default endpoint, also block known malicious domains at no cost.
Paid managed DNS adds the controls that enterprises need:
- Custom block and allow policies per user, group, time of day, or device profile.
- Logging and reporting for compliance audits and incident investigations.
- Threat intelligence feeds that go beyond a generic malware blocklist.
- Category-based filtering across content types such as productivity, social, and streaming.
- API integration with SIEM and SOAR platforms.
- SLA-backed uptime with dedicated vendor support.
Pricing varies widely, and buyers should verify current pricing before making a decision. DNSFilter publishes its rates publicly at roughly $1.15 to $3.00 per user per month. Cisco Umbrella uses quote-based pricing, with published estimates from third-party reviews ranging from $2.25 to $6.50 per user per month across tiers. NextDNS offers a free tier with a monthly query cap and a flat per-account paid plan above that, based on its publicly available pricing at the time of writing.
| Capability | Free public DNS | Paid managed DNS |
| Anycast routing & speed | Yes | Yes |
| DoH / DoT encryption | Most major providers | Standard |
| Custom filtering policies | Limited or none | Granular, per-user/group/time |
| Detailed query logs & reports | No | Yes |
| Threat intelligence feeds | Generic blocklist (some providers) | Curated, multi-source feeds |
| SIEM/SOAR integration | No | Standard via API |
| SLA & support | Best-effort | Contractual |
| Typical cost | $0 | $1–$6 per user/month |
The right choice depends on the threat model. A small team running everything on cloud-based SaaS may need nothing more than a free resolver. A regulated business handling sensitive customer data benefits from the audit trail and policy controls that only a paid service can provide.
Best DNS Servers for Speed and Security
Finding the best DNS servers that strike a balance between speed and security is crucial. When evaluating DNS servers, consider the following features:
- Low Latency: Fast response times are essential for smooth web browsing and application performance.
- Security Measures: Look for servers with built-in protection against DDoS attacks, DNS hijacking, and cache poisoning.
- Global Reach: A wide network of servers ensures that users worldwide experience consistent performance.
- Advanced Filtering Options: These help block malicious sites and can prevent the spread of malware.
Many industry experts recommend services such as Google Public DNS, Cloudflare DNS, and OpenDNS for those interested in a list of top-performing DNS servers. Each of these options balances speed and security, making it excellent for both personal and business use.
However, if you’re wondering about the security measures of the current cybersecurity infrastructure, Group-IB’s compromise assessment can help you identify potential threats and mitigate them with its innovative technological solution.
Here’s how Group-IB helps you:
- Preliminary assessment: We begin by assessing your current security posture, like what’s working, what’s visible, and what needs focus.
- Toolkit implementation: Our tools are deployed to collect key data and support accurate threat attribution from day one.
- Unified threat analysis: We map your external exposure and scan the dark web for leaks or early warning signs.
- Comprehensive data collection: A full sweep of endpoints and networks gathers forensic snapshots, alerts, and telemetry.
- Threat identification and response: Active or past breaches are exposed, responded to, and tied back to clear remediation steps.
- Gap analysis: Misconfigurations, threat exposures, and root causes are analyzed for long-term improvement.
- Containment and reporting: We deliver a focused, step-by-step action plan to strengthen your security strategy.
Popular Public DNS Servers and Their Features
When choosing the best DNS servers for speed and security, several options stand out for their performance, privacy policies, and security features. The options below are the strongest contenders today, ranked roughly by independent benchmark performance and the depth of security features.
1. Cloudflare (1.1.1.1)
Cloudflare consistently ranks among the fastest DNS services globally, thanks to its anycast network spanning more than 300 cities in 100+ countries. Independent tests, such as those from DNSPerf, often rank it at the top for raw query resolution speed, with median response times under 15 milliseconds for most users worldwide.
It supports DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), encrypting queries to prevent interception. Cloudflare also offers a “1.1.1.1 for Families” option, with variants (1.1.1.2 and 1.1.1.3) that block malware and adult content, respectively.
Cloudflare commits to not logging your IP address to disk and retains only non-identifying query data for roughly 25 hours, with rare sampled IPs for troubleshooting. It undergoes annual audits by KPMG to verify this promise.
Addresses:
- Primary: 1.1.1.1
- Secondary: 1.0.0.1
2. Google Public DNS (8.8.8.8)
Google leverages its global data centers and Anycast routing to deliver fast response times, making it a strong performer for most users. It supports DoH and DoT for encrypted queries and includes DNSSEC to validate responses, protecting against spoofing and tampering.
However, it lacks built-in content filtering.
Google logs temporary data (including IP addresses) for 24-48 hours and retains anonymized data longer for analytics. This may concern privacy-focused users, given Google’s advertising business.
Addresses:
- Primary: 8.8.8.8
- Secondary: 8.8.4.4
3. Quad9 (9.9.9.9)
Quad9 is a global network operating 259 server clusters across 106 countries and. It is a standout for security. Quad9 blocks malicious domains (e.g., phishing and malware) using threat intelligence from over a dozen cybersecurity partners. It also supports DNSSEC, DoH, and DoT.
Quad9 doesn’t log personally identifiable data, focusing on anonymized performance metrics. Its non-profit status and Switzerland-based presence add a layer of trust.
Addresses:
- Primary: 9.9.9.9
- Secondary: 149.112.112.112
4. OpenDNS (Cisco) (208.67.222.222)
OpenDNS leverages Cisco’s infrastructure and provides high speeds and 100% uptime. It’s slightly slower than Cloudflare but reliable for most use cases. It offers strong phishing and malware protection, with customizable filtering in its free “Home” tier.
The “FamilyShield” option (208.67.222.123) blocks adult content by default. OpenDNS logs certain data (e.g., IP addresses) for security and analytics purposes, which may concern privacy purists. Cisco’s ownership ties it to a commercial entity.
Addresses:
- Primary: 208.67.222.222
- Secondary: 208.67.220.220
5. AdGuard DNS (94.140.14.14)
AdGuard delivers decent speeds, though it may lag slightly behind Cloudflare or Google due to a smaller server network. It’s optimized for users prioritizing filtering over raw speed.
The server excels at blocking ads, trackers, and malicious domains out of the box and supports DoH and DoT for encrypted queries.
The default free tier doesn’t log personal data, though its privacy policy is less scrutinized than those of Cloudflare and Quad9. A premium version offers more features.
Addresses:
- Primary: 94.140.14.14
- Secondary: 94.140.15.15
6. NextDNS (Configurable resolver)
NextDNS is used as a privacy-and-filtering option that sits between free public resolvers and full enterprise-managed services. It comes with a free tier that includes a monthly query cap, customizable blocklists, encrypted transport via DoH, DoT, and DoQ, and a no-log default policy for unauthenticated public use. The paid plan comes with unlimited queries, longer log retention if desired, and per-profile policy controls.
Addresses: NextDNS uses per-profile resolver endpoints rather than fixed IPs. Set up via the configuration page at my.nextdns.io.
To maximize speed and security, consider your location (closer servers reduce latency) and test these options with tools like DNSPerf or GRC’s DNS Benchmark. Pairing any of these with a VPN can enhance privacy by encrypting your connection.
How to Choose the Right DNS Server for Your Needs
Selecting the appropriate DNS server for your environment involves assessing performance and security. Consider the following factors:
- Purpose of Use: Are you a home user looking for speed or a business seeking enhanced security?
- Security Requirements: Evaluate whether you need advanced filtering, protection against cyberattacks, or customizable settings.
- Technical Expertise: If your team has strong technical expertise, a private DNS server might be a better fit; otherwise, public DNS servers from reputable providers may be more manageable.
- Budget Constraints: Factor in the costs associated with maintenance, upgrades, and potential scalability issues.
- Integration with Existing Infrastructure: Ensure your chosen DNS server can seamlessly integrate with your current cloud security and incident response protocols.
A periodic external review of how your DNS infrastructure resolves under load and under failure conditions is a healthy practice for any team running production services. It’s advisable to conduct a periodic cybersecurity audit to ensure your chosen DNS servers continue to meet evolving security and performance demands. Penetration testing can further help you assess your current cybersecurity measures and the reliability of your DNS server.
How to Change Your DNS Server Settings
To update your DNS settings on Windows 11, you can follow these steps:
- Open Settings: Click the Start button, then select the Settings app.
- Navigate to Network Settings: In the Settings menu, click “Network & Internet.”
- Select Your Connection: Choose your current connection type (Ethernet or Wi-Fi).
- Access Additional Properties: Click “View additional properties” for your selected connection.
- Edit DNS Settings: Scroll down to the DNS server section and click the “Edit” button.
- Switch to Manual DNS Configuration: Change the setting from “Automatic (DHCP)” to “Manual” for IPv4. (If applicable, enable the IPv4 toggle.)
- Enter New DNS Addresses: Input the Primary DNS address provided by your chosen DNS provider. Enter the Secondary DNS address in the corresponding field.
- Save Changes: Click “Save” to apply the new DNS settings.
Common Issues with DNS Servers and How to Fix Them
Even the most robust DNS server configurations can encounter issues. These are some of the common problems with DNS servers and quick fixes:
Slow Resolution Times
Slow resolution times occur when converting domain names into IP addresses takes longer than expected, resulting in delayed website loading.
This issue is often caused by an overloaded or misconfigured DNS server, leading to a poor user experience. Switching to a high-performance DNS provider can help resolve this problem.
Server Not Responding
Occasionally, you might see error messages like “Server Not Found” or “Server Not Responding” when entering a website URL. This can happen for several reasons, such as the domain no longer existing, problems with the hosting server, or connectivity issues with your router.
To resolve this issue, check your network connection and ensure that your DNS server list is correctly configured. You may also need to reset your router.
Security Vulnerabilities
If your DNS server is not up to date with the latest security patches, it could be vulnerable to attacks such as cache poisoning or DNS hijacking. These attacks aim to redirect your traffic from your domain to a malicious and unsecured server.
The vulnerability may lead to security issues, including data theft and malware infection. Regular maintenance and periodic cybersecurity audit reviews can help mitigate these risks.
Incorrect DNS Entries
Incorrect DNS entries can disrupt network functionality and lead to unintended consequences. These issues arise when records are outdated, misconfigured, or contain typographical errors, causing a domain to resolve to the wrong IP address or fail entirely.
Records such as A (address) records, MX (mail exchange), and CNAME (canonical name) records are responsible for routing traffic to the correct services. When these are incorrect, such as after a provider change or server migration, your users may experience website outages, misrouted emails, or redirection to unintended destinations.
Ensuring that DNS records remain current, accurate, and aligned with your infrastructure is essential for availability, reliability, and trust.
How DNS Misconfigurations Become Threat Vectors: A Look at TeamTNT Attacks
DNS misconfigurations often go unnoticed, but they pose a significant risk when exploited by malicious actors. The hacking group TeamTNT, a known threat group, has targeted cloud environments and VPS instances by modifying DNS settings to reroute traffic to malicious infrastructure.
Group-IB’s Digital Forensics and Incident Response team attributed a wave of cloud campaigns in 2023 and 2024 to TeamTNT with moderate confidence. The team identified overlapping tactics, techniques, and procedures across the campaigns.
The attack chain typically begins with SSH brute force against exposed VPS instances running CentOS. Once inside, malicious scripts disable iptables, SELinux, and AppArmor, delete system logs, and install the Diamorphine rootkit for stealth and persistence.
The scripts also update DNS settings to point at Google’s public resolvers, which effectively detaches the host from any DNS-layer monitoring or filtering the organization had configured. These actions go undetected without active visibility into both infrastructure and resolution patterns. Similar cloud infrastructure threats increasingly target VPS and container environments, where security controls are applied inconsistently.
Group-IB’s Network Graph maps connections between domains, DNS records, and infrastructure. It reveals suspicious redirections and abnormal links that signal potential compromise.
The hard part for defenders is finding misconfigurations before attackers do. Group-IB’s Penetration Testing service replicates the techniques real adversaries use against cloud infrastructure, including the same misconfiguration probing and DNS tampering paths that groups like TeamTNT rely on. Testing your own environment with current attacker tradecraft is the most direct way to find the gaps that monitoring alone will miss.
This capability powers our Threat Intelligence, Managed XDR, and Fraud Protection services, enabling earlier detection and faster response to DNS-based threats.
Contact Group-IB experts to assess your DNS security posture and identify exposure before attackers can exploit it.