DNS Security Threats Are Not Theoretical: Cache Poisoning, Rogue Resolvers, and the 706,000 Servers Nobody Patched
In October 2025, three critical vulnerabilities were publicly disclosed in BIND 9, the software that powers a significant portion of the internet’s DNS infrastructure. Two of those vulnerabilities, CVE-2025-40778 and CVE-2025-40780, scored 8.6 on the CVSS scale and enabled cache poisoning attacks. Over 706,000 exposed instances were identified worldwide by internet scanning firm Censys.
That is not a statistic from a vendor marketing deck. That is the measured attack surface for a single class of DNS vulnerability. And most UK small businesses have no idea whether their DNS infrastructure was affected, because most have never looked.
What DNS Cache Poisoning Actually Does
Let us be precise about this, because “cache poisoning” sounds abstract until you understand what it means in practice.
Your DNS resolver caches records to speed things up. When you visit a website, the resolver remembers the IP address so it does not have to look it up again every time. That is efficient and sensible.
Cache poisoning is when an attacker injects fake data into that cache. The resolver then hands out the wrong IP address to everyone who asks. Your staff type in your bank’s website. The resolver, poisoned, sends them to an attacker-controlled server that looks identical. Credentials entered. Money gone. And from the user’s perspective, “the site was a bit slow today.”
The BIND 9 vulnerability CVE-2025-40778 exploited a logic flaw where the resolver accepted and cached records it had never actually requested. An attacker could inject forged address records pointing to their own infrastructure. CVE-2025-40780 went further, exploiting a weakness in BIND’s random number generator to predict source ports and query IDs, making spoofed responses far more likely to succeed.
These are not theoretical attack papers. Proof of concept code was published.
Rogue Resolvers and Router Hijacking
Cache poisoning is the dramatic version. The quiet version is more common and arguably more dangerous for small businesses: someone changes the DNS resolver settings on your router.
This happens in two ways. First, an attacker compromises a router, often through default credentials or unpatched firmware, and changes the DNS settings to point at their own resolver. Every device on the network then sends DNS queries to an attacker-controlled server. The attacker can redirect any domain to any destination they choose.
Second, and more embarrassingly, someone in the office changes DNS settings as a troubleshooting step and forgets to change them back. They point the router at some random public resolver, do not document it, and six months later nobody knows why certain sites behave oddly or why the security product’s DNS filtering has stopped working.
As we discussed on this week’s podcast, the number of outages caused by undocumented DNS changes constitutes a national pastime. Fine as a test. Not fine as a lifestyle.
Why Small Businesses Are Particularly Exposed
The DSIT Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cyber breach or attack in the past twelve months. The decline from 2024 was primarily among micro and small businesses reporting fewer phishing attacks. But medium and large enterprises showed consistently high exposure.
Here is the problem specific to DNS: small businesses typically have no DNS monitoring, no logging of resolver queries, and no process for auditing their router configurations. When something goes wrong, the investigation usually consists of someone saying “must be DNS,” someone else changing the resolver to 8.8.8.8, and everyone going back to work.
That approach misses three critical scenarios.
Malicious redirection. A compromised router quietly rewriting the DNS map. Users are sent to phishing pages or malware distribution sites. Without DNS logging, there is no evidence trail.
Command and control communication. Malware on an infected device uses DNS queries to communicate with its command infrastructure. If nobody monitors DNS traffic, the compromised device operates freely for weeks or months.
Data exfiltration via DNS tunnelling. Attackers encode stolen data into DNS queries, sending it out through a protocol that almost nobody inspects. The data leaves the building disguised as normal DNS traffic.
The NCSC’s Position
The NCSC does not mince words on this. Their Protective DNS service, launched in 2017, has resolved over 2.5 trillion DNS queries and prevented access to 1.5 million malicious domains for public sector organisations.
For private sector organisations that do not qualify for NCSC’s own PDNS, the guidance is explicit: procure protective DNS from trusted commercial providers. The NCSC recommends sourcing services from providers with proven cyber security expertise who can demonstrate regularly updated threat intelligence feeds and deny lists.
This is not a nice-to-have recommendation buried in a footnote. It is published guidance from the UK government’s own cyber security authority, aligned with equivalent guidance from the NSA and CISA in the United States.
The NCSC also recommends DNS logging as part of a broader monitoring strategy. Their Logging Made Easy project provides an open-source approach to help smaller organisations set up basic security logging, including DNS query visibility.
The Router Problem Nobody Talks About
Most UK small businesses run their entire network through a single router, often the one supplied by their ISP. That router handles DHCP, NAT, firewall rules, and DNS relay. It is the single most important piece of network infrastructure in the building, and it usually runs firmware that has not been updated since it was installed.
When that router’s DNS settings are changed, whether by an attacker, a well-meaning IT person, or a firmware update that resets configuration, every device on the network follows. There is no second opinion. There is no failover. The router says “ask this DNS server” and every laptop, phone, and printer obeys.
If you are running your business through a consumer-grade router with default credentials and unpatched firmware, you are hosting what amounts to a Victorian sewer and acting surprised when something smells off.
Protective DNS Options for SMBs
For businesses that want to improve their DNS security without enterprise budgets, three tiers of action are available.
Tier one: use known-good public resolvers. Cloudflare’s 1.1.1.1 offers speed and audited privacy. Quad9’s 9.9.9.9 adds security filtering, blocking known malicious domains. Google Public DNS at 8.8.8.8 is reliable but operated by an advertising company. All three support encrypted DNS protocols, DNS-over-HTTPS and DNS-over-TLS, which prevent your ISP or anyone else on the network path from seeing your queries in plain text.
Cloudflare also offers filtered variants: 1.1.1.2 blocks malware, and 1.1.1.3 blocks malware plus adult content. For a small business, 1.1.1.2 as a minimum is sensible.
Tier two: commercial protective DNS. Services like Cisco Umbrella, DNSFilter, and Infoblox offer managed protective DNS with logging, reporting, and policy controls. These cost money but provide the kind of visibility that free public resolvers do not.
Tier three: DNS monitoring and alerting. If you have any security budget at all, monitor for unusual resolver traffic. If devices suddenly start using unfamiliar DNS servers, or resolver settings change without a planned reason, that is not normal background noise. That is an indicator that warrants investigation.
How to Turn This Into a Competitive Advantage
DNS security is one of those rare areas where a small investment creates disproportionate protection and credibility.
If you are bidding for contracts with larger organisations, demonstrating that you use protective DNS, maintain DNS logging, and have a documented resolver policy signals operational maturity. It is a concrete, verifiable control that procurement teams can assess.
For businesses handling client data, showing that you have addressed DNS-layer security helps satisfy due diligence requirements under UK GDPR. It is not a compliance checkbox; it is a genuine reduction in the risk of data being redirected or exfiltrated through a compromised resolver.
If your competitors are still running unpatched consumer routers with default DNS settings, you have an easy differentiation point. Use it.
How to Sell This to Your Board
The threat is current and measured. Over 706,000 DNS resolvers were exposed to cache poisoning in 2025. The vulnerabilities are disclosed, proof of concept code exists, and the affected software powers a significant portion of global DNS infrastructure. This is not speculative risk.
The fix is inexpensive. Switching to a protective DNS resolver costs nothing for the basic tier. Commercial options start at a few pounds per user per month. Compare that to the average cost of a cyber incident: the DSIT survey reports a mean average cost per business of £10,000 for those who quantified losses.
The regulator expects it. The NCSC explicitly recommends protective DNS for private sector organisations. Following published government guidance is a defensible position in any regulatory or legal review. Not following it requires an explanation.
It protects remote workers too. A protective DNS client on laptops extends the protection beyond the office network. For businesses with staff working from home, coffee shops, or client sites, this closes a gap that most SMBs have not even identified.
What This Means for Your Business
-
Audit your router DNS settings today. Log in to your router and check what DNS servers it is configured to use. If you do not know the login credentials, that is a separate problem to solve immediately. Document the current settings.
-
Switch to a protective DNS resolver. At minimum, use Cloudflare’s 1.1.1.2 (malware filtering) or Quad9’s 9.9.9.9 (security filtering) as your primary DNS. Set this on the router so all devices inherit the setting. Document the change.
-
Update your router firmware. Check for available updates. If your router is old enough that the manufacturer has stopped issuing patches, replace it. A router that cannot be patched is a router that cannot be trusted.
-
Enable DNS logging if possible. Even basic logging of DNS queries gives you visibility you did not have before. The NCSC’s Logging Made Easy project is a free starting point.
-
Deploy DNS protection for remote workers. If staff work outside the office, their DNS queries go through whatever resolver their home or hotel network provides. A protective DNS roaming client ensures they use your chosen resolver regardless of location.