Most enterprise security programs are built around the threats they can see. Firewalls, endpoint detection, identity management — these categories receive board-level attention and multi-million-dollar budgets. But beneath all of it sits a foundational layer of internet infrastructure that is quietly, systematically failing: DNS.
The Domain Name System is the mechanism that translates every human-readable web address into a machine-routable IP address. It is, as Akamai Advisory CISO Steve Winterfeld describes it, the phone book and GPS of the internet combined. Nothing moves on a network without DNS working correctly — and yet, new research from Akamai reveals that the vast majority of organizations are not applying even the most basic security controls to it.
The finding is stark: 85% of observed domains failed foundational DNS controls. Not advanced controls. Not zero-day protections. The basics — Start of Authority integration, Certificate Authority Authorization, and DNSSEC. These are the hygiene fundamentals that security teams have had years to implement, and they are still widely absent.
What makes this particularly dangerous is not the technical gap itself, but the organizational blind spot that surrounds it. DNS issues are chronically misdiagnosed, underreported, and under-prioritized. As Winterfeld notes, there is even an industry joke that captures the problem perfectly: “What’s the issue? It can’t be DNS. It is DNS.” The humor lands because it is true — and because the consequences of that denial are now measurable at scale.
Compounding the challenge, the threat landscape around DNS is evolving. The arrival of practical quantum computing will render current cryptographic protections obsolete, making certificate lifecycle management an urgent operational concern — not a future-state problem. Organizations that have not yet gotten foundational DNS security right will face an even steeper climb as the quantum threat matures.
The Guest: Steve Winterfeld, Advisory CISO at Akamai
Key Takeaways
- Akamai research found 85% of observed domains failed foundational DNS security controls, including DNSSEC, Certificate Authority Authorization (CAA), and Start of Authority (SOA) integration.
- DNS is a systemic hidden threat — chronic underdiagnosis and low risk prioritization leave organizations silently exposed at a foundational infrastructure level.
- Quantum computing is accelerating urgency around certificate management, requiring organizations to manage cryptographic keys as a first-class security asset.
- Akamai has published a DNS hygiene checklist that security teams can use to assess their own maturity and control coverage.
- DNS security is not an advanced capability — it is foundational hygiene that the majority of organizations have yet to achieve.
***
Read Full Transcript & Technical Deep Dive
Speaking with TFiR, Steve Winterfeld, Advisory CISO at Akamai, defined the current state of DNS security risk and explained why this underappreciated infrastructure layer has become one of the most consequential blind spots in enterprise cybersecurity.
What Is DNS and Why Does It Matter for Security?
DNS — the Domain Name System — is the foundational translation layer of the internet, converting human-readable domain names into IP addresses that network infrastructure can route. Despite its criticality, it is among the least scrutinized layers of enterprise security architecture. Winterfeld frames it plainly: DNS is both the phone book and the GPS of the internet. Compromise or misconfiguration at this layer affects everything built on top of it.
Q: How did Akamai arrive at DNS as a priority focus area for this year’s research?
Steve Winterfeld: “Akamai tends to talk to customers about what customers need. And one of the hidden threats — because we do a lot of DNS — is that DNS is kind of this hidden threat. I remember doing troubleshooting and we joke about this in the paper: you ask what’s the problem, and say it can’t be DNS. It is DNS. We sat back, took some of the management we do around DNS, and found that 85% of observed domains failed foundational DNS controls — things like Start of Authority integration, Certificate Authority Authorization, and DNSSEC. These are some of the basics.”
The 85% Statistic: What Foundational DNS Controls Are Being Missed?
Akamai’s research draws on its extensive DNS management visibility to surface a finding that should alarm enterprise security leaders. The three foundational controls that are broadly absent — DNSSEC, Certificate Authority Authorization (CAA), and Start of Authority (SOA) integration — are not new or complex requirements. Their widespread absence reflects an organizational prioritization failure as much as a technical one.
Q: What specific controls are most commonly missing, and what does that exposure look like?
Steve Winterfeld: “85% of observed domains failed foundational DNS controls — things like Start of Authority integration, Certificate Authority Authorization, and DNSSEC. These are the basics. We’re seeing so much come from this angle that often isn’t well managed and isn’t put high enough in the risk portfolio to get the attention it deserves.”
Quantum Computing and the Certificate Management Imperative
Beyond current-state DNS hygiene, Winterfeld flags the emerging quantum computing threat as a forcing function for certificate lifecycle management. Cryptographic certificates — the keys that underpin encrypted communications and authenticated DNS responses — will be vulnerable to quantum-capable adversaries. Organizations that are already failing basic certificate hygiene face a compounding risk as quantum timelines accelerate.
Q: How does quantum computing factor into the DNS and certificate management risk conversation?
Steve Winterfeld: “We also talked about the impact of quantum computing, managing your certs — which are the keys for protection. We provided a checklist that you can use to check the hygiene level, the maturity level of yours, because we’re seeing so much come from this angle that often isn’t well managed and isn’t put high enough in the risk portfolio to get the attention it deserves.”
The DNS Hygiene Checklist: A Practical Maturity Tool
In response to the breadth of the DNS security gap it identified, Akamai has published a practical checklist enabling security teams to assess their own DNS control coverage and maturity. The checklist addresses the foundational controls highlighted in the research and is designed to translate the research findings into actionable operational steps for practitioners and CISOs alike.
Q: What practical resource is Akamai offering to help organizations address their DNS security posture?
Steve Winterfeld: “We provided a checklist that you can use to check the hygiene level, the maturity level of yours — because we’re seeing so much come from this angle that often isn’t well managed and isn’t put high enough in the risk portfolio to get the attention it deserves.”





