A single typo in a name server hostname gives an attacker full DNS authority over your domain. I built a detection pipeline to find these in 240 million domains and discovered 258 typosquatted NS hostnames targeting Cloudflare, Hostinger, Wix, and other major providers.
The Dyn attack took down Twitter and Netflix because they shared a DNS provider. I analyzed 240 million domains and found 112 TLDs where a single provider controls over half the domains. The next Dyn-scale event isn't a question of if, but which TLD.
When a name server domain expires, every domain that still delegates to it becomes vulnerable to hijacking. I found 503,000 domains pointing to expired NS domains — and a single re-registration could compromise hundreds of thousands of them.
After 20 years, only 4.27% of domains have DNSSEC. I analyzed 240 million domains to understand why — the answer isn't technical, it's structural. Registrar defaults, invisible benefits, and operational fear are holding back the one protocol that could fix DNS authentication.
A comprehensive guide to DNS attack types including cache poisoning, amplification, tunneling, zone walking, and hijacking. Learn how attackers exploit DNS, how to test your own domains, and how to harden your infrastructure.
Phantom domain attacks overwhelm DNS resolvers by forcing them to wait for responses from domains that never answer. Learn how this resource exhaustion attack works and how to defend your resolver infrastructure.
A DNSSEC downgrade attack tricks resolvers into accepting unsigned DNS responses for domains that should be DNSSEC-signed. Learn how stripping attacks work, how misconfigured resolvers enable them, and how to verify your DNSSEC validation.
Fast flux DNS rapidly rotates the IP addresses behind a domain to hide malicious infrastructure from takedowns. Learn how single and double flux networks work, how to detect them, and how threat intelligence teams track them.
DNS rebinding manipulates DNS responses to trick a browser into treating an attacker's server and an internal network resource as the same origin. Learn how the attack works, why it bypasses firewalls, and how to defend against it.
DNS over HTTPS encrypts DNS queries inside HTTPS traffic, providing privacy but also enabling attackers to bypass DNS monitoring, content filters, and security controls. Learn how DoH is abused and how to maintain visibility.
DNS tunneling hides data inside DNS queries to bypass firewalls and exfiltrate information through port 53. Learn how encoded subdomain queries work, how to detect tunneling, and how to lock down your DNS infrastructure.
NXDOMAIN attacks flood DNS resolvers with queries for domains that do not exist, exhausting resolver resources and degrading performance for legitimate users. Learn how the attack differs from water torture and how to defend your resolvers.
The DNS water torture attack floods authoritative nameservers with queries for random, nonexistent subdomains that cannot be cached. Learn how the attack bypasses traditional defenses and how to protect your DNS infrastructure.
DNS amplification attacks exploit open resolvers to generate massive DDoS floods with up to 70x traffic amplification. Learn how reflection works, the Spamhaus case study, and how to prevent your servers from being weaponized.
A subdomain takeover happens when a CNAME points to a decommissioned cloud service that an attacker can reclaim. Learn how to find dangling DNS records, which providers are vulnerable, and how to prevent takeovers.
DNS hijacking redirects your domain's traffic by compromising registrar accounts, nameservers, or network infrastructure. Learn the four types of hijacking, real-world incidents like the Sea Turtle campaign, and how to protect your domains.
DNS cache poisoning injects forged records into a resolver's cache, silently redirecting users to malicious servers. Learn how the Kaminsky attack works, how to test your resolver, and how DNSSEC prevents it.
DNSSEC's NSEC records create a chain that reveals every subdomain in a zone. Learn how zone walking works for subdomain discovery, why NSEC3 is only a deterrent, and how to audit your own DNSSEC configuration.
TLD zones signed with DNSSEC can be walked to discover every registered domain. Learn how NSEC chains expose entire registries, why NSEC3 is only a deterrent that can be cracked, and what this means for domain privacy.
An unrestricted DNS zone transfer hands an attacker your complete zone file — every subdomain, IP address, and service record. Learn how AXFR works, how to test your own nameservers, and how to lock down zone transfers.
An open DNS resolver accepts recursive queries from anyone on the internet, making it a weapon for DDoS amplification attacks. Learn how to check if your server is an open resolver and how to lock it down.
Before you file an abuse report against that IP hammering your server, check the User-Agent. This guide covers how to identify web crawlers, manage them with robots.txt and server-level controls, and decide when to block, allow, or report.
Usenet remains active and so does its abuse. This guide covers how to report spam, copyright infringement, and illegal content on newsgroup servers, including how to trace posts to source IPs and file complaints with Usenet providers.
CERT teams coordinate responses to security incidents across organizations and borders. This guide explains when to contact a CERT, how to write incident reports they can act on, and provides templates for common scenarios like vulnerability exploitation and network intrusions.
Sometimes ISP abuse reports aren't enough — you need law enforcement involved. This guide covers when to escalate to authorities, how to file reports with FBI IC3, Europol, and national CERTs, and what evidence to prepare for a criminal investigation.
Reporting CSAM is a legal obligation in many jurisdictions. This guide provides the correct reporting channels, explains what information to include, and covers the emergency contacts you need to know. Do not attempt to investigate or preserve this material yourself — report immediately.
When someone hosts your copyrighted content on their server, a properly formatted DMCA takedown notice is the fastest legal tool to get it removed. This guide includes a ready-to-use template, explains the legal requirements, and walks through finding the right abuse contact.
Phishing sites can steal credentials in minutes, so speed matters when reporting them. This guide covers how to trace phishing emails and websites to their hosting IP, file takedown requests with hosting providers, and report to anti-phishing organizations.
Spam wastes bandwidth, clogs inboxes, and often carries malware. This guide shows you how to trace spam back to its source IP, extract the evidence from email headers, and file abuse reports that get spammers shut down.
A compromised server is often used to launch attacks on others. After containing the breach, reporting the compromise to your hosting provider and the attacker's ISP helps shut down the attack chain and protects other potential victims.
When you detect command-and-control traffic reaching out to a malicious IP, reporting that C2 server can disrupt the entire botnet. This guide covers how to identify C2 indicators, collect network evidence, and file reports that get C2 infrastructure taken down.
Port scanning is often the first step in a targeted attack. This guide explains how to detect network reconnaissance in your firewall logs, gather evidence, and report the scanning IP to its ISP before an actual attack follows.
Brute force attacks against SSH and RDP are relentless and automated. This guide shows you how to extract the evidence from your auth logs, identify the attacking IP's abuse contact, and file reports that get malicious hosts shut down.
When a DDoS attack hits your infrastructure, the clock is ticking. This guide walks you through collecting the right evidence, finding your attacker's ISP abuse contact, and filing a report that actually gets the attack stopped.
Most abuse reports get ignored because they lack evidence or go to the wrong contact. This complete guide covers how to identify the right abuse contact, write reports that ISPs actually act on, and escalate when they don't respond.
DNSSEC protects your domain from cache poisoning and DNS spoofing by adding cryptographic verification to DNS responses. Learn how it works, why it matters, and how to enable it.
Learn how SPF, DKIM, and DMARC DNS records work together to authenticate your email, prevent spoofing, and protect your domain reputation. Includes example records and setup guidance.
I scanned 201 million CNAME records from Project Sonar and found 13.9 million pointing to cloud services — with 3.27 million at high risk of subdomain takeover. Here's what the data reveals about the scale of this overlooked vulnerability.
I analyzed 7 snapshots of Project Sonar FDNS data from 2017 to 2020 and found that AAAA records grew 9.35x in just 2.5 years — from 23.5 million to 219.7 million. Germany's .de TLD claims 10.2% of all AAAA records, Cloudflare drove massive adoption from near-zero, and European ccTLDs consistently punch above their weight.
An analysis of 12.7 million SPF records from Project Sonar data reveals 19,682 domains using +all, over 1 million with neutral qualifiers, and a troubling decline in strict enforcement.
I parsed 262 million TXT records from Project Sonar's FDNS data and found DMARC adoption grew 16.4x in just two years — but 69% of DMARC policies still do nothing. Meanwhile, nearly 20,000 domains publish SPF records that explicitly allow the entire internet to send email as them.
Analysis of 7.8 million Telnet endpoints and 4.6 million unencrypted MQTT brokers found exposed on the public internet, based on Project Sonar TCP scan data from 2019.
I processed Rapid7 Project Sonar TCP scan data covering 16 services across the entire IPv4 address space. The findings: 24.3 million IPs responding to SSH, 4.4 million exposed Redis instances, and IoT telnet backdoors declining by 23%. Here's what the internet's attack surface actually looks like.