|
|
 Kevin Zettel, Mukesh Gupta, Krupa Srivatsan, and Dave Mitchell presented for Infoblox at Security Field Day 14 |
This Presentation date is September 24, 2025 at 13:30-15:30.
Presenters: Dave Mitchell, Kevin Zettel, Krupa Srivatsan, Mukesh Gupta
Follow on Twitter using the following hashtags or usernames: #XFD14
The Ten Year Protective DNS Journey with Infoblox
Watch on YouTube
Watch on Vimeo
DNS is no longer just infrastructure — it is the frontline of preemptive security. This session highlights Infoblox’s decade-long journey in shaping DNS security, with Protective DNS at the center of defending users against evolving threats. Attendees will see why DNS is uniquely positioned to stop attacks before they spread and how DDI integration delivers powerful visibility, automation, and protection. Speaker Mukesh Gupta detailed Infoblox’s evolution from an enterprise appliance company known for DDI (DNS, DHCP, and IPAM) to a security-focused organization. He explained that as enterprises adopted multiple cloud platforms, they ended up with siloed DNS systems (e.g., on-prem, AWS Route 53, Azure DNS), leading to complexity and outages. Infoblox addressed this by creating “Universal DDI,” a platform that provides a single management layer for all of a customer’s disparate DNS services, whether they are on-premises or in the cloud, and offers a true SaaS-based option for DDI services.
Gupta emphasized that DNS is the first point of detection for nearly all types of cyberattacks—from phishing and malware to data exfiltration—because a DNS query always precedes the malicious action. Blocking threats at this initial DNS layer is highly effective, protecting all devices on the network without deploying new agents and significantly reducing the load on other security tools like firewalls and XDRs. Infoblox’s unique approach, developed by a former NSA expert, focuses on tracking the cybercriminal “cartels” rather than individual attacks. Instead of chasing millions of malicious domains (the “drug dealers”), Infoblox identifies and monitors the infrastructure of organizations like “Prolific Puma” (a malicious URL shortening service) or “VainWiper” (a malicious traffic distribution system) that service thousands of attackers. This “cartel”-focused strategy provides a significant strategic advantage.
The primary benefits of this unique approach are a massive lead time and incredible accuracy. Infoblox can identify malicious domains an average of 68 days before they are used in a campaign, often right after the cartel registers them, allowing for preemptive blocking without waiting for a “patient zero.” This methodology also results in an extremely low false positive rate (0.0002%). Gupta argued that integrating this protection directly into the DDI platform is more operationally efficient, as it prevents finger-pointing between network and security teams when a domain is blocked. Infoblox is now extending this protection to cloud workloads, either by having customers point their cloud DNS to Infoblox’s service or through native integrations, such as the new Google Cloud DNS Armor service, which is powered by Infoblox’s threat intelligence technology.
Personnel: Mukesh Gupta
A Live Demo of Infoblox Threat Defense
Watch on YouTube
Watch on Vimeo
This hands-on session follows the earlier briefings and goes straight into the Infoblox Security Portal. We’ll trace malicious activity from first DNS lookup to automated enforcement, show how verdicts are backed by Infoblox Threat Intelligence, and walk through incident triage and policy tuning. Expect practical coverage of policy creation, exception handling, and integrations that extend protection across endpoint, network, and cloud. You’ll leave with a clear view of day-to-day operations and the metrics that matter. Speaker Kevin Zettel began the demonstration by outlining the five flexible deployment options for Infoblox’s threat defense solution. These include a lightweight endpoint agent for rich user attribution, physical or virtual NIOS appliances, NIOS as a service with IPsec tunnels for cloud and SASE environments, and a simple external resolver configuration. Zettel emphasized that these methods can be mixed and matched, and even without an endpoint agent, the system uses Universal Asset Insights to enrich data, providing crucial context like the specific device, user, and MAC address for every DNS query. He also confirmed that Infoblox provides comprehensive threat feeds for IPs, URLs, and hashes that can be exported to firewalls to counter adversaries who might pivot away from DNS.
Transitioning to the live portal, Zettel showcased the main dashboard, which provides immediate KPIs on the security of the DNS infrastructure. He highlighted the value of “predictive intelligence” and a key metric called “first to detect,” which demonstrates to customers that Infoblox knew about malicious domains on average several weeks before an employee ever clicked on them. The portal offers a detailed, asset-centric view, allowing security teams to identify at-risk devices, trace their entire IP address history across the network, and review all associated security and policy violations. This capability is critical for incident triage, enabling an analyst to quickly understand the scope of an infection and identify other potentially compromised systems by seeing everywhere a device has been.
To demonstrate how security verdicts are backed by intelligence, Zettel navigated to the threat intelligence section, which shows customers which specific threat actor “cartels” are active in their environment and the exact malicious domains their users have accessed. To make the massive volume of DNS data actionable for security operations (SOC) teams, he introduced an AI-powered feature called “Insights,” which automatically correlates millions of individual events into a handful of manageable incidents. For deeper investigation and policy tuning, the integrated “Dossier” research tool allows an analyst to click any indicator (domain, IP, etc.) and receive a consolidated report from over twenty different tools, providing the full context needed to validate a threat and make informed policy decisions.
Personnel: Kevin Zettel
Infoblox Threat Intelligence (ITI) with Dave Mitchell
Watch on YouTube
Watch on Vimeo
Dave Mitchell will introduce the Infoblox Threat Intelligence (ITI) team, highlighting its specialized focus and unique capabilities in DNS-based security. He’ll explore the evolving threat landscape, sharing insights into emerging attack vectors and adversary tactics. The session will demonstrate how Infoblox’s deep expertise in DNS enables superior threat detection and protection. Attendees will gain a clear understanding of what sets Infoblox apart in the cybersecurity ecosystem. As a “recovering operator,” Mitchell explained that his team’s sole focus is DNS, a namespace so vast that it offers attackers near-infinite room to operate. He emphasized that Infoblox’s intelligence is entirely original and not repackaged from other sources. Their process involves a reputation system where algorithms analyze newly registered domains, clustering suspicious ones based on shared attributes like registration patterns and name server behavior. Human researchers then investigate these clusters to identify, name, and track threat actors, building robust signatures that can follow adversaries even as they adapt their tactics. This proactive approach results in a “low regret” security posture, blocking domains that users have no legitimate reason to visit.
This DNS-centric intelligence allows Infoblox to provide “protection before impact.” Mitchell shared that over a recent 90-day period, their system already contained 75% of malicious domains before a single customer query was ever made to them. This is possible because the team observes threat actor infrastructure as it’s being built. A significant portion of the presentation focused on the growing threat of malicious advertising technology (“malvertising”). He detailed how threat actors operate sophisticated Traffic Distribution Systems (TDS) that function like legitimate ad-tech platforms but serve malicious content. These systems use cloaking techniques to profile visitors, redirecting them to scams, info-stealers, or fake software updates only if they match specific criteria, while sending researchers or bots to harmless decoy sites like Google or Alibaba.
Mitchell provided a deep dive into the malvertising ecosystem, illustrating how criminal affiliate networks push everything from cryptocurrency and dating scams to dangerous malware like the SocGholish info-stealer. He highlighted a major threat actor his team has been tracking called Vextrio (also known as “Los Pollos”), a sophisticated cartel that runs a massive TDS operation. Beyond malvertising, he also touched on the persistent problem of lookalike domains, which are impossible for brands to proactively register across all 1,300+ top-level domains, and an advanced command-and-control technique where compromised websites use DNS text records to covertly fetch and decode malicious redirect URLs. These examples underscore the complexity of modern threats and the critical role of specialized, protective DNS in disrupting the attack chain.
Personnel: Dave Mitchell
Growing Government and Industry Adoption of Protective DNS with Infoblox
Watch on YouTube
Watch on Vimeo
Protective DNS is rapidly emerging as a trusted layer of defense across industries. Governments, regulators, and enterprises alike are embracing it as a scalable, proactive way to strengthen security posture. Around the world, governments are looking to adopt Protective DNS to safeguard citizens, while updates to NIST SP 800-81 highlight DNS as a foundational control that can stop threats earlier than other systems—supporting Zero Trust and cyber-resiliency strategies. Industry leaders are also moving fast: Microsoft is embracing Zero Trust DNS to protect devices, and Google Cloud DNS Armor applies DNS-based threat detection to natively secure cloud workloads. Speaker Krupa Srivatsan highlighted this growing adoption by citing a key statistic from a former NSA director stating that 92% of cyberattacks use DNS at some point. She provided several examples of governments implementing national Protective DNS (PDNS) services, including CISA in the U.S. for federal agencies, the U.K. for its public and emergency services, and Australia for its public sector. A notable use case is Ukraine, which deployed a national PDNS service that resulted in a 30-40% reduction in reported financial phishing fraud against its citizens amidst the ongoing conflict.
Srivatsan then discussed the influence of regulatory bodies, focusing on the forthcoming NIST Special Publication 800-81, which centers on DNS security. This guidance is built on three pillars: using Protective DNS to block malicious activity, ensuring DNS hygiene and encryption (like DNSSEC and DNS over HTTPS) to prevent spoofing, and hardening DNS servers against denial-of-service attacks. She connected these principles to the Zero Trust framework, arguing that organizations cannot claim to follow Zero Trust if they implicitly trust their DNS resolver. A true Zero Trust architecture requires not only PDNS and encryption but also a comprehensive asset inventory—a capability inherent to DDI platforms—to apply granular, device-aware security policies.
Finally, she detailed significant adoption by industry leaders. Microsoft’s new Zero Trust DNS feature for Windows 11, for example, will lock down the operating system to only resolve queries through an approved PDNS provider, effectively blocking resolutions to unauthorized domains and hardcoded IP addresses. Similarly, the Google Cloud DNS Armor service natively integrates Infoblox’s threat detection engine directly into the Google Cloud console. In its initial version, the service analyzes DNS logs to detect threats and reports them to Google’s security tools, providing preemptive security for cloud workloads without requiring customers to deploy a separate solution. These initiatives by Microsoft and Google signal a major industry shift towards embedding Protective DNS as a foundational security control.
Personnel: Krupa Srivatsan