DNS and DHCP servers are foundational infrastructure services that every organization depends on – and almost none adequately protect. These two services operate at the core of every network, handling name resolution and IP address assignment for every device, user, and application. When an attacker compromises either one, the consequences are catastrophic: full network redirection, credential interception, lateral movement across segments, and data exfiltration through covert channels.
The numbers confirm the urgency. According to IDC research, 88% of organizations experienced at least one DNS attack in the past year, with an average of seven attacks per organization annually. The average cost of a single DNS attack reached $950,000 globally, rising above $1 million for organizations in North America. DNS DDoS attacks alone grew from 6% of all network-layer attacks in 2022 to over 21% in 2024, according to Imperva’s DDoS Threat Landscape Report.
Despite these risks, DNS and DHCP servers typically sit on flat network segments with no access restrictions. Any endpoint on the network can query, interact with, and potentially exploit these services. Traditional perimeter firewalls do nothing to limit internal access to infrastructure services.
This article explains how microsegmentation closes this critical gap by enforcing identity-based access controls around DNS and DHCP servers, preventing exploitation, and blocking lateral movement before it starts.
How Attackers Exploit DNS and DHCP: The Attack Paths You’re Not Blocking
DNS and DHCP servers are targeted through multiple, well-documented attack paths. Understanding these paths is essential for building effective segmentation policies.
DNS Attack Vectors
DNS is inherently insecure. It was designed for availability and speed, not for authentication or integrity. Attackers exploit this design weakness through several techniques.
DNS cache poisoning injects forged records into a DNS resolver’s cache, redirecting users to attacker-controlled infrastructure. When a DNS server accepts a spoofed response, every client that queries that server receives the malicious record – turning a single compromise into an organization-wide redirect.
DNS tunneling encodes data within DNS queries and responses, creating a covert communication channel that bypasses firewalls, intrusion prevention systems, and most network security controls. Attackers use DNS tunneling for command-and-control communication and data exfiltration. DNS tunneling increased by 41% in the most recent reporting period, according to the IDC Global DNS Threat Report.
DNS hijacking allows attackers to reroute queries from legitimate servers to destinations they control. In February 2025, the threat actor known as Hazy Hawk exploited DNS misconfigurations to hijack subdomains belonging to the U.S. CDC, Deloitte, PricewaterhouseCoopers, and Ernst & Young.
DNS amplification attacks exploit the size disparity between small DNS queries and large responses to flood targets with traffic. These attacks saw a 117% year-over-year increase in Q4 2023.
DHCP Attack Vectors
DHCP operates on an implicit trust model – the protocol assumes that any device requesting an IP address is legitimate. This creates a fundamentally exploitable architecture.
DHCP starvation floods a DHCP server with fake DISCOVER packets using spoofed MAC addresses, exhausting the entire IP address pool. Legitimate devices can no longer obtain addresses, causing denial of service. This attack often precedes a rogue DHCP server deployment.
Rogue DHCP server attacks follow starvation. Once the legitimate server is exhausted, the attacker deploys a rogue server that responds to client requests with malicious configuration – including attacker-controlled DNS servers and default gateways. Every device that accepts the rogue lease is now routing traffic through the attacker.
TunnelVision (CVE-2024-3661) is a vulnerability discovered in 2024 that exploits DHCP option 121 to inject malicious routing rules, bypassing VPN encapsulation entirely. This attack causes traffic to leave the VPN tunnel unencrypted, exposing sensitive data to interception. It affects Windows, Linux, macOS, and iOS.
DHCP administrator group abuse, documented by Akamai in 2025, demonstrates how attackers escalate privileges in Windows domains by exploiting the permissions granted to the DHCP administrators group, enabling lateral movement and additional exploitation.
DNS and DHCP Attack Vectors – Summary
Attack Type | Target | Technique | Impact |
DNS Cache Poisoning | DNS Resolver | Injecting forged DNS records | Organization-wide traffic redirect to malicious sites |
DNS Tunneling | DNS Protocol | Encoding data in DNS queries | Covert C2 communication and data exfiltration |
DNS Hijacking | DNS Records | Exploiting DNS misconfigurations | Subdomain takeover and phishing infrastructure |
DNS Amplification | DNS Servers | Abusing query-response size disparity | Volumetric DDoS against target infrastructure |
DHCP Starvation | DHCP Server | Flooding with fake DISCOVER packets | Denial of service for all network clients |
Rogue DHCP Server | Network Clients | Deploying attacker-controlled DHCP | Man-in-the-middle on all client traffic |
TunnelVision (CVE-2024-3661) | VPN Clients | DHCP option 121 route injection | VPN bypass and plaintext traffic interception |
DHCP Privilege Escalation | Active Directory | Abusing DHCP admin group permissions | Domain-level privilege escalation |
Why Traditional Defenses Fail to Protect DNS and DHCP Infrastructure
Most organizations rely on perimeter firewalls, network-level ACLs, and VLAN segmentation to protect internal services. These controls are fundamentally insufficient for DNS and DHCP protection. Here is why.
Perimeter firewalls don’t inspect internal traffic. DNS and DHCP attacks originate from inside the network – from compromised endpoints, rogue devices, or malicious insiders. Perimeter firewalls only filter traffic crossing the network boundary. They provide zero visibility into east-west traffic between endpoints and infrastructure services.
VLANs are too coarse. VLAN-based segmentation groups devices by department or location, not by function or identity. Within a VLAN, every device can freely communicate with DNS and DHCP servers. An attacker who compromises any endpoint in the VLAN has unrestricted access to infrastructure services.
DNS and DHCP ports are universally allowed. Port 53 (DNS) and ports 67-68 (DHCP) are permitted through nearly every firewall rule set and network ACL. Security teams rarely restrict these ports because blocking them would disrupt basic network functionality. Attackers exploit this permissiveness.
No identity verification on protocol level. Neither DNS nor DHCP authenticates the source of requests. Any device that sends a properly formatted packet receives a response. Without an additional access control layer, there is no way to distinguish legitimate queries from malicious ones.
Organizations that implement microsegmentation address these gaps by enforcing identity-based access policies directly at the endpoint and workload level, regardless of network topology.
Traditional Defenses vs. Microsegmentation – Comparison
Security Control | Protects Perimeter | Protects Internal (East-West) | Identity-Based | Granular per Endpoint | Effective for DNS/DHCP |
Perimeter Firewall | ✅ | ❌ | ❌ | ❌ | ❌ |
VLAN Segmentation | Partial | Partial | ❌ | ❌ | ❌ |
Network ACLs | ✅ | Partial | ❌ | ❌ | Partial |
DHCP Snooping | ❌ | Partial | ❌ | ❌ | Partial |
DNSSEC | ❌ | ❌ | ❌ | ❌ | Partial (integrity only) |
Microsegmentation | ✅ | ✅ | ✅ | ✅ | ✅ |
How Microsegmentation Protects DNS and DHCP Servers
Microsegmentation enforces access control at the workload and endpoint level, creating a security boundary around every infrastructure service. Instead of relying on network topology, microsegmentation uses identity-based policies to determine which devices, users, and applications can communicate with DNS and DHCP servers – and blocks everything else.
Restricting Who Can Query DNS Servers
In a microsegmented environment, DNS servers are isolated in their own security zone. Only authorized endpoints and applications can send queries to port 53. A compromised endpoint that attempts to communicate with a DNS server outside its authorized policy is blocked before the packet reaches the server.
This prevents DNS cache poisoning from internal sources, blocks DNS tunneling by limiting which endpoints can reach DNS servers, and stops DNS amplification by preventing unauthorized query traffic.
Isolating DHCP Servers from Unauthorized Access
Microsegmentation limits DHCP communication to legitimate network operations. Only endpoints going through authorized onboarding processes can communicate with DHCP servers on ports 67-68. Devices that attempt to flood the DHCP server with starvation attacks are blocked by the segmentation policy.
Critically, microsegmentation prevents rogue DHCP server deployment by ensuring that only authorized servers can respond on DHCP ports. Any device that attempts to act as a DHCP server without authorization is immediately blocked.
Preventing Lateral Movement from Compromised Infrastructure
Even if an attacker gains access to a DNS or DHCP server, microsegmentation contains the breach. The compromised server cannot communicate with other network segments, databases, file servers, or application tiers because the segmentation policy only permits specific, pre-authorized communication paths.
This containment effect is the primary value of microsegmentation for infrastructure services. Without it, a compromised DNS server becomes a pivot point for the entire network. With microsegmentation, the attacker’s reach is limited to the specific communication paths that the policy allows – and nothing more.
Organizations building a Zero Trust architecture recognize that infrastructure services like DNS and DHCP must be treated as high-value assets, protected with the same rigor applied to databases and application servers.
MITRE ATT&CK Mapping: DNS and DHCP Techniques and Microsegmentation Controls
Security engineers and incident response teams use the MITRE ATT&CK framework to map threats to defensive controls. The following table maps DNS and DHCP attack techniques to specific MITRE ATT&CK identifiers and shows how microsegmentation addresses each technique.
MITRE ATT&CK ID | Technique | DNS/DHCP Relevance | Microsegmentation Control |
T1071.004 | Application Layer Protocol: DNS | DNS tunneling for C2 and exfiltration | Restrict DNS communication to authorized resolvers only; block unauthorized endpoint-to-DNS traffic |
T1557.003 | Adversary-in-the-Middle: DHCP Spoofing | Rogue DHCP servers redirect traffic | Block unauthorized DHCP server responses; restrict DHCP communication to authorized servers |
T1584.002 | Compromise Infrastructure: DNS Server | DNS hijacking and record manipulation | Isolate DNS servers; restrict management access to authorized administrators only |
T1498.002 | Network DoS: Reflection Amplification | DNS amplification attacks | Limit DNS query sources to authorized endpoints; block spoofed source addresses |
T1499.002 | Endpoint DoS: Service Exhaustion Flood | DHCP starvation attacks | Rate-limit DHCP discovery packets; restrict DHCP communication to authorized network segments |
T1572 | Protocol Tunneling | DNS tunneling to bypass security controls | Enforce microsegmentation policies that block unauthorized DNS traffic patterns |
Implementation Guide: Segmenting DNS and DHCP with Microsegmentation
Deploying microsegmentation for DNS and DHCP infrastructure requires a methodical approach. The following implementation roadmap provides concrete steps for security teams.
Phase 1: Discovery and Mapping (Weeks 1-2)
Before creating segmentation policies, map all DNS and DHCP communication flows. Identify every endpoint, server, and application that communicates with DNS and DHCP servers. Document legitimate traffic patterns including source, destination, port, protocol, and frequency.
Key actions in this phase:
- Inventory all DNS servers (primary, secondary, recursive resolvers, forwarders)
- Inventory all DHCP servers and relay agents
- Map which endpoints communicate with which DNS/DHCP servers
- Identify management access paths (SSH, RDP, web console) to infrastructure servers
- Document inter-server communication (DNS zone transfers, DHCP failover)
Phase 2: Policy Design (Week 3)
Based on the discovery data, define microsegmentation policies for DNS and DHCP servers. Policies should follow the principle of least privilege – permit only the specific communication paths that are documented and justified.
Core policies to define:
- Client-to-DNS: Only authorized endpoints can query authorized DNS resolvers on port 53 (TCP/UDP)
- Client-to-DHCP: Only endpoints in authorized network segments can communicate with DHCP servers on ports 67-68 (UDP)
- DNS-to-DNS: Zone transfers only between authorized primary and secondary servers on port 53 (TCP)
- DHCP failover: Only between designated DHCP servers on authorized failover ports
- Management access: Only authorized admin workstations can reach DNS/DHCP management interfaces
- Default deny: All other communication to/from DNS and DHCP servers is blocked
Organizations using a platform like the truePass platform can define these policies using identity-based rules, so the policies follow the workload regardless of network location or IP address changes.
Phase 3: Monitor Mode (Weeks 4-5)
Deploy policies in monitor (audit) mode first. This allows the security team to observe which traffic would be blocked without actually disrupting operations. Review logs daily to identify legitimate traffic that the policy would incorrectly block. Adjust policies to accommodate valid communication paths before moving to enforcement.
Phase 4: Enforcement (Week 6+)
Enable enforcement mode. Monitor for false positives during the first two weeks of enforcement. Maintain a documented rollback procedure for any policy that causes operational disruption. Conduct weekly policy reviews for the first month, then transition to monthly reviews.
Microsegmentation Deployment – Phase Summary
Phase | Duration | Key Activities | Deliverables |
Discovery and Mapping | Weeks 1-2 | Inventory DNS/DHCP servers; map all communication flows; identify management paths | Communication flow map; server inventory; traffic baseline |
Policy Design | Week 3 | Define least-privilege policies; establish default-deny rules; set management access controls | Policy document; rule set; exception list |
Monitor Mode | Weeks 4-5 | Deploy policies in audit mode; review logs; identify false positives; adjust policies | Adjusted policy set; false positive log; approved exceptions |
Enforcement | Week 6+ | Enable blocking; monitor for disruption; weekly reviews; rollback procedure ready | Enforced policies; incident response procedures; review schedule |
Microsegmentation Best Practices for Infrastructure Services
Effective microsegmentation of DNS and DHCP servers requires adherence to several best practices that go beyond basic policy creation.
Treat DNS and DHCP as Tier-0 assets. Infrastructure services should receive the same protection level as Active Directory domain controllers and certificate authorities. These are the services that attackers target first because compromising them provides control over the entire network.
Separate DNS resolution from DNS management. Create distinct policies for DNS query traffic (port 53) and DNS management traffic (SSH, web console, API). Query traffic should be permitted from authorized endpoints. Management traffic should be restricted to a dedicated administrative network segment with Zero Trust network access controls.
Enforce strict zone transfer controls. DNS zone transfers (AXFR/IXFR) should only be permitted between explicitly authorized primary and secondary DNS servers. Unauthorized zone transfer requests should be blocked and logged as potential reconnaissance activity.
Implement DHCP server authorization verification. Microsegmentation policies should ensure that only authorized DHCP servers can respond to client requests. Any device that attempts to respond on DHCP ports without authorization should be blocked immediately.
Log and audit all DNS/DHCP policy violations. Every blocked connection attempt provides intelligence. A sudden spike in blocked DNS queries from a specific endpoint may indicate compromise. Blocked DHCP starvation attempts reveal attack activity in progress. Integrate segmentation logs with your SIEM for correlation.
Apply microsegmentation to DNS/DHCP backup and failover paths. Backup DNS servers and DHCP failover partners must be included in the segmentation policy. Do not exempt failover traffic from access controls – compromised failover paths are a common attack vector.
Segment recursively. DNS servers that forward queries to external resolvers should be in a separate segment from internal-only DNS servers. This prevents an attacker who compromises an external-facing resolver from pivoting to internal DNS infrastructure.
Measuring the Impact: Before and After Microsegmentation
The following table illustrates the security posture change when organizations apply microsegmentation to DNS and DHCP infrastructure.
Security Metric | Before Microsegmentation | After Microsegmentation |
Endpoints that can query DNS servers | All endpoints on the network | Only authorized endpoints per policy |
Endpoints that can communicate with DHCP servers | All endpoints on the same VLAN | Only endpoints in authorized onboarding segments |
Rogue DHCP server response capability | Any device can respond on DHCP ports | Only authorized DHCP servers can respond |
DNS zone transfer access | Any endpoint that can reach port 53 TCP | Only authorized primary/secondary DNS pairs |
Management access to DNS/DHCP consoles | Accessible from general network segments | Restricted to authorized admin workstations only |
Lateral movement from compromised DNS server | Full network access from DNS server’s network position | Contained to explicitly authorized communication paths |
DNS tunneling feasibility | Any endpoint can send arbitrary DNS queries | Only authorized resolvers accept queries; anomalous patterns blocked |
DHCP starvation success probability | High – no rate limiting or source restriction | Low – only authorized segments can send DHCP discovery |
Conclusion: DNS and DHCP Protection Is the Foundation of Infrastructure Security
DNS and DHCP servers remain among the most exploited and least protected assets in enterprise networks. With 88% of organizations experiencing DNS attacks annually and the average cost per attack approaching $1 million, the risk of leaving these services unprotected is unacceptable.
Microsegmentation addresses this gap by enforcing identity-based access controls at the workload level, restricting which endpoints can communicate with DNS and DHCP servers, preventing rogue server deployment, containing breaches to isolated segments, and blocking lateral movement before it starts.
The implementation path is straightforward: discover communication flows, design least-privilege policies, validate in monitor mode, and enforce. Organizations that segment their infrastructure services first establish the foundation for a comprehensive Zero Trust architecture that extends to every asset on the network.
For organizations building or maturing their network segmentation strategy, starting with DNS and DHCP is the highest-impact, lowest-risk first step – because these are the services that attackers target first, and the services that most organizations leave completely exposed.
