Speaker: Peter LaMantia, CEO of Authentic Web
Introduction
Peter:
Good morning, good afternoon, and good evening, depending on where you’re joining from.
Thank you for being here for our continuing webinar series designed to inform enterprise leaders about the state of external DNS risks and potential solutions.
I’m Peter LaMantia, CEO of Authentic Web, a provider of domain, DNS, and TLS‑certificate control systemsdesigned for enterprise teams.
Today, I’ll share the CISO Briefing—a session that unpacks the exposure risks and business impacts related to DNS threats on the external DNS.
This is the third webinar in the series.
- In the first, Enterprise DNS Audit Results Revealed, we reviewed audit data from several large organizations to help attendees compare their security posture. If you don’t yet know your posture, a DNS audit is the best place to start.
- In the second, DNS Security: The Zone Mess, I discussed how poorly managed zone files—particularly dangling CNAMEs and orphaned subdomains—create unintended cybersecurity exposures.
If you’d like to learn more, visit authenticweb.com/resources for webinars, white papers, and best‑practice guides. Or reach out directly, and I’d be happy to help you understand your organization’s vulnerabilities and next steps.
The Business Imperative
In today’s CISO Brief, we take the discussion up a level—focusing on the business imperative.
We’ll examine why organizations remain exposed, what happens if issues are ignored, and what the true business and customer impacts are.
Finally, I’ll conclude with a recommended CISO directive aimed at transitioning from a reactive to a proactive DNS‑security posture—helping your business protect its reputation, its customers, and its teams.
As a CISO, this is your problem—though it’s often de‑prioritized or downplayed within the enterprise. That’s a mistake.
As one PhD put it, “The DNS is the soft underbelly of the Internet.”
By design, the DNS is not secure; it must be secured through governance, policy, and automated controls.
Let’s dig in.
Agenda
- Define DNS Security Vectors (Inbound vs. External DNS threats)
- Explore ownership and system silos inside the enterprise
- Understand why the business is exposed
- Review potential outcomes and financial impact
- Deliver the CISO Directive: how to get proactive and close these gaps
Inbound and External DNS Threats
Inbound DNS threats are well‑understood. They target internal networks—seeking command and control, data exfiltration, or lateral movement. Mitigation involves DNS‑blocking services, which most organizations already use.
Today, however, we’re focused on the external DNS—the side of your network that lives on the Internet.
External threats include:
- DDoS attacks
- Certificate authority compromises
- Man‑in‑the‑middle attacks
- DNS hijacking
- Phishing campaigns
These persist because of internal conditions such as manual processes, ungoverned change, and lack of visibility across systems—what I call the “legacy approach.”
Two Root Causes Inside the Enterprise
After analyzing hundreds of enterprises, we’ve found that most external DNS risk boils down to two structural issues:
- Lack of ownership
DNS touches every group—marketing, IT, legal, security, and brand—all are stakeholders, but none truly own it.
DNS becomes a “hot potato” technology: it’s technical, confusing, high‑risk, and mission‑critical. The result is that no one takes responsibility for securing it.The solution: ownership must roll up to the CISO, with a directive to treat DNS security as a formal enterprise program. - Lack of control systems
Most companies have multiple registrars, hosting platforms, and DNS providers operating in silos. Few have centralized policy enforcement or change‑management tools.These two factors—no ownership and no control—are the core contributors to DNS compliance and security gaps.
Why Organizations Are Exposed
Let’s look at examples of how these weaknesses create real‑world exposure.
1. DNS Hijacking
Failure to implement or maintain DNSSEC (Domain Name System Security Extensions) allows attackers to poison cache files on recursive name servers—redirecting users to fake websites.
2. Social‑Engineering Exploits
Ungoverned, legacy DNS platforms are ripe targets for service‑provider exploits. With multiple unmanaged vendors, attackers can gain access to registrar accounts or DNS zones without detection.
3. Phishing and Email‑Spoofing Attacks
Without SPF and DMARC records on every domain, criminals can use your own domains to send fraudulent messages to customers, partners, and employees.
4. Insecure Redirects
HTTP‑only redirects still appear in countless zone files. These enable session eavesdropping or malicious redirection. Ensure encryption from origin through to endpoint.
5. Dangling or Orphaned DNS Records
Decades of DNS changes leave behind old CNAMEs or subdomains pointing to decommissioned infrastructure. Attackers can hijack those endpoints and impersonate your brand.
6. Internal Misconfigurations
Most incidents originate from internal actions or oversights, not malice. Every time someone changes a zone file without visibility or checks, new exposures can be created.
7. Network Reconnaissance
Remember: DNS is a public system. Attackers use it to map your entire ecosystem, identify outdated servers, and pinpoint exploitable services.
If any of these sound familiar—and you’re unsure of your current state—then you almost certainly have all of them.
The Business Impacts
When breaches occur, the true cost extends far beyond technical cleanup:
- Downtime and lost revenue per hour
- Internal incident response and customer‑service overhead
- Distracted teams pulled away from business priorities
- Brand‑reputation damage
- Regulatory penalties and mandatory disclosures
Every incident triggers a reactive cycle: mitigation, post‑mortems, process changes—and then it happens again.
Third‑party research validates the trend: incident frequency and total cost both rise every year.
Independent Research Findings
A recent study notes:
“There is an over‑emphasis on attack response and an under‑emphasis on proactive measures to detect and mitigate threats before they occur.”
Translation: Get proactive.
Another report highlights:
“Cyber‑attackers increasingly exploit legitimately registered domains rather than creating new ones. Domain hijacking is an enabling attack.”
If you own it, you must manage it.
Summary of Exposure
- DNS is vulnerable by design.
- Ownership gaps and system silos create compliance failures.
- IT teams lack the tools to enforce policy or control change effectively.
- Incidents are becoming inevitable, with rising frequency and cost.
The CISO Directive
If leadership doesn’t sponsor change, no one will.
To mitigate DNS risk, CISOs must:
- Assign ownership.
Make DNS security a recognized accountability within the enterprise. - Modernize control systems.
Give teams a unified platform that centralizes domain management, DNS oversight, TLS visibility, and policy enforcement.
Ask these three questions to assess DNS maturity:
- Do we have a tamper‑proof system to manage domains and DNS?
Can unauthorized users edit zones? Do we log every change? - Can we prove enforcement of DNS‑security policies?
Do we mandate SPF, DMARC, and SSL implementation? Is there a reliable audit trail? - Is the system integrated across registrars and DNS providers for complete life‑cycle control?
If the answer to any of these is “no,” you’re losing compliance and increasing risk.
What Modernization Looks Like
Modern DNS‑security management unifies everything:
- Domain life‑cycle governance
- DNS workflows and approvals
- Automated TLS‑certificate management
- Continuous monitoring and policy enforcement
All stakeholders gain centralized control, distributed execution, and simplified visibility. The outcome is lower cost, better security, and consistent compliance.
A Perspective from the Industry
I recently read a post by another cybersecurity CEO who summarized the situation perfectly:
“Companies spend billions on cybersecurity but neglect domain and DNS management—the very foundation of their digital presence. Neglecting DNS makes those investments ineffective and leaves organizations dangerously exposed.”
He’s right.
And the saying still stands: It’s always the DNS.
When everything fails—or when everything works—it’s always the DNS.
Final Thoughts
The DNS underpins every digital service. Nearly every cybersecurity incident begins there.
You must lock it down.
This isn’t about “if” or “when”—it’s already happening.
Across my years in this field, I’ve seen four types of internal attitudes toward DNS:
- “I don’t understand it—and I don’t want to.”
- “I understand it, but it’s not my problem.”
- “I understand and know it’s urgent—but I can’t get leadership sponsorship.”
- “I understand, take control, and modernize.”
The fourth group are the winners. They make life easier for teams, reduce exposure, and cut long‑term cost.
Closing
Thank you for joining today’s CISO Briefing.
I hope these insights provide value and clarity around DNS‑security exposures and next steps.
For a deeper dive, request our white paper with detailed guidance on policies, implementation, and ROI.
The good news: these exposures are easily resolved with ownership, sponsorship, and modernized systems.
If you’d like to discuss your organization’s situation, reach out—I’d be happy to help you get on the right track.
Thank you again for your time, and have a great day.
