Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Infoblox (CSRB19)
Parliament bill publication: Written evidence. Commons.
Cyber Security and Resilience (Network and Information Systems) Bill (3rd February 2026)
Primary navigation
Home
Parliamentary business
MPs, Lords & offices
About Parliament
Get involved
Visiting
Education
House of Commons
House of Lords
What's on
Bills & legislation
Committees
Publications & records
Parliament TV
News
Topics
You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee
Session 2021-22
Cyber Security and Resilience (Network and Information Systems) Bill
Written evidence submitted by Infoblox (CSRB19)
Secure DNS Principles for
UK
Critical InfrastructureTurning
the Cyber Security and Resilience
Bill
into Practical Measures
to Combat Cyber Fraud
Executive summary
The UK’s proposed Cyber Security and Resilience Bill, and the subsequent update of the NIS Regulations, are a significant step forward in strengthening the resilience of essential services and other NIS
‑
regulated entities.
As the
Public Bill Committee
consid
e
rs how best to combat cyber
crime and
fraud
,
Infoblox proposes
that the Domain Name System (DNS)
be
treated as
a critical point of risk and control in cybersecurity i
n future regulatory
requirements
.
Infoblox, Inc. is a global company specializing in Domain Name System management and security. Our products are used by government agencies and critical infrastructure organizations around the world, and over 90% of the Fortune 100 companies and 70% of the Fortune 500 companies. We are appreciative of our long-standing
partnerships with key government agencies,
through Infoblox experts’ participation in the UK National Cyber Security Centre’s Industry 100 program
.
Cyber crime is estimated to cost the UK economy approximately £14.7 billion per year
,
and one in five Britons falls victim to
digital scams and frau
d
. Much of this malicious activity involve
s
exploitation or abuse of DNS
as attackers create fake webpages and take advantage of
weak management of their organisation’s domain names
.
DNS
is traditionally considered to be network infrastructure "in the background." DNS
translates human-friendly domain names into machine-readable IP addresses, eliminating the need for users to remember and enter an IP address each time they want to access the internet or connect to other devices on their internal network.
In practice, DNS is how people and systems "find" services online.
Nearly every digital interaction begins with a DNS lookup.
Unfortunately, m
alicious actors exploit this
ubiquity
to redirect users to fraudulent or malicious destinations,
control compromised systems, and steal data from organisations
, while also targeting registrars and authoritative providers to manipulate traffic at scale. At the same time, DNS offers a uniquely efficient opportunity to prevent connections to harmful destinations before they are established and to generate rich telemetry for incident response.
This activity is incredibly widespread and impactful both for the UK
economy, and
for individual citizens. We believe the Cyber Security and Resilience
B
ill
provides an opportunity to address and reduce this risk. Scams in particular often present themselves as associated with
the provision of
critical infrastructure and services. People
receive an alert from
their
bank or mortgage provider
;
an urgent
request to pay a utility bill
at
threat of a critical service being cut off
, or a scary alert from
thei
r healthcare provider
. These are common tactics employed by malicious actors to fool individuals into
sharing financial
or other personal
information or
taking
action
against
their
own interest
s
. These attacks are supported by abuse of poorly maintained domains
or spoofing val
id domains
to trick victims
. The focus on critical infrastructure
lends urgency and importance to the demand, making them more likely to succeed.
These attacks undermine trust in critical infrastructure and cost the banking sector billion
s of pounds annually. Malicious actors also leverage DNS to target the businesses themselves, serving up ran
somware and other types of
malware and
stealing sensitive data.
Recognising the importance of DNS in supporting this kind of malicious activity, in
2025,
the United States’
N
ational
I
nstitute of
S
tandards and
T
echnology (NIST)
updated its deployment guide for "Secure DNS" principles, known as Special Publication 800
‑
81r3. In its update, NIST made clear that DNS is no longer background network
infrastructure, but rather "a foundational layer of network security in zero trust and defense-in-depth security risk management approaches."
We therefore propose that Secure DNS
principles
be recognised as core
elements
of
the UK’s regulatory
approach to critical infrastructure
, aligned to the NIS
T
guidance and underpinned with key principles:
·
deployment of Protective DNS with real
‑
time blocking of malicious domains;
·
encryption and authentication of DNS traffic, combined with integrity validation;
·
Policies and best practices to ensure organizations protect the integrity of their DNS infrastructure;
·
separation of duties through dedicated DNS infrastructure and resilient authoritative operations; and
·
use of DNS and IP address management (IPAM) data to enhance asset visibility.
As the Parliamentary Committee reviews the proposed Cyber Security and Resilience Bill
and considers how
best to support the need for more trust, reliability and resilience in our critical infrastructure, we encourage you to consider whether adoption of secure DNS practices c
ould be one recommended element.
Embedding these principles in future regulatory expectations would address a material class of current threats while reinforcing
the UK
’s broader zero
‑
trust and resilience objectives.
This is a practical, technology-neutral way to reduce scams and strengthen essential services.
How attackers exploit DNS
DNS was designed as the internet’s address book, not as a security protocol. This legacy makes it attractive to adversaries
, and m
odern scam operations take full advantage of this. Large
‑
scale criminal call centres and online fraud networks register and hijack thousands of domains, often including subdomains of well
‑
known brands and public institutions, and then use DNS to steer potential victims into carefully choreographed
multi-step scam journeys
. When a person clicks on an online advertisement or a link in a message, their browser triggers DNS lookups that include information about their location and device. Based on that information, the DNS answer directs them either to a convincing scam site – for example, promising government investment opportunities or energy subsidies – or to a harmless decoy page if the visitor looks like a security researcher or automated scanner. Because the
domain infrastructure used in these campaigns change rapidly and are spread across many providers
, traditional URL
‑
or IP
‑
based blocking struggles to keep pace.
In practice, criminals can swap domains quickly, while simple blocklists fall behind.
These scams hit close to home. For instance, Infoblox Threat Intelligence identified the "Vigorish Viper" Chinese cybercrime syndicate
,
which demonstrates how DNS underpins even
the most
complex criminal ecosystems: Vigorish Viper operates a vast network of over 170,000 active domains, exploiting DNS to route users from apparently legitimate football sponsorship links to illegal gambling sites, with documented links to money laundering and human trafficking.
The syndicate has been directly connected to sponsorship deals with European football clubs, including clubs in the English Premier League, illustrating how DNS
‑
driven scams can exploit trusted UK
‑
linked brands to draw users into a global illegal gambling and human
‑
trafficking economy.
The industrial scale of cyber crime is
also
illustrated by the research into the
"
Vextrio Viper
"
threat actor. This Russian nexus threat actor has been identified in 60% of Infoblox’s global customers a
nd is ever present in those customers within the UK. This traffic distribution lies at the heart of organi
s
ed cyber crime, intelligently classifying and redirecting victims to scams, fraud and malware that
are most likely to be successful. Their success lies in their ability to rapidly rotate domains in and out of service, re-purposing them
for not only this broad array of cyber crime but also as a platform for the distribution of Russian disinformation campaigns.
They are a clear and evident threat to UK citizens and UK critical infrastructure and only through the a
pplication of DNS
-
centric threat intelligence on Protective DNS services can the UK expect to mitigate this and other DNS threat
actors.
The
inconsistent application of these services allows these threat actors to continue to operate with impunity, even registering holding companies here in the UK and across Europe.
DNS is also abused to maintain persistence and scale. Attackers use it to point compromised websites and cloud resources to ever
‑
changing back
‑
end infrastructure, so that when one hosting provider closes an account, traffic can be redirected elsewhere simply by changing DNS records. In some campaigns, scripts on compromised sites use DNS queries to fetch encoded instructions or new destination addresses from attacker
‑
controlled zones, effectively turning DNS into a low
‑
profile command channel. By the time a particular domain or server is identified and blocked, the DNS configuration has often already moved on.
Analysis of threat actors highlight how criminal gangs and nation state actors rely on DNS as their primary control channel of compro
mised devices, posing a serious risk to the UK’s critical infrastructure organisations.
Beyond web redirection, DNS is
also
used as a quiet channel for data exfiltration and coordination.
Where DNS is not monitored or controlled, it can be misused to move data out of networks unnoticed.
Malicious software can embed fragments of stolen data inside DNS queries to attacker
‑
controlled domains, or request updated instructions through apparently routine lookups. Because DNS traffic is expected and widespread – from office IT to industrial control systems – these patterns can blend into the background unless organisations deliberately monitor and control DNS as part of their security architecture.
Assessments have shown that many critical infrastructure organisations here in the UK have no controls to mitigate this risk, enabling DNS to have unimpeded access to the Internet, providing an ideal exfiltration channel for threat actors.
The good news is that the same properties that make DNS attractive to attackers – ubiquity, centrality and low overhead – also make it a powerful point of control when properly secured.
"
Protective DNS
"
can stop connections to malicious destinations before any network session is established, disrupt command
‑
and
‑
control, and provide high
‑
value telemetry for incident response. Experience from government Protective DNS deployments
, including that of the UK’s National Cyber Security Centre service,
has shown that this approach can substantially reduce malware’s ability to communicate and limit the impact of successful intrusions.
Taken together, these patterns demonstrate that DNS is not merely a background protocol. It is actively and creatively abused across the attack lifecycle, and any long
‑
term policy framework for
critical
infrastructure cybersecurity
that does not address DNS directly will leave a substantial gap.
New NIST deployment guide highlights Secure DNS practices
Recent updates to NIST Special Publication 800
‑
81r3 mark an important shift in how DNS should be viewed: no longer as a background network utility, but as a foundational security control and
a core component of both zero trust and defence
‑
in
‑
depth architectures. The revised framework aligns with NIS2 technical guidance and positions Secure DNS around three mutually reinforcing pillars: implementing protective DNS, securing the DNS protocol itself, and fortifying DNS infrastructure.
First, NIST emphasises protective DNS as a proactive control to stop threats before they reach users or systems. Protective DNS services continuously analyse DNS queries and responses to prevent access to domains associated with malware, ransomware, phishing and other malicious activity, including infrastructure that has not yet been widely recognised as harmful. Crucially, NIST defines the desired outcomes:
blocking harmful traffic in real time and providing DNS data that supports investigation and response
. The guidance notes that organisations can deploy protective DNS through third
‑
party services, internally managed infrastructure, or – ideally – a combination of both approaches for greater resilience.
Second, the guide calls for securing the DNS protocol to improve integrity and confidentiality. Recommended measures include using DNSSEC to ensure the authenticity of DNS
responses and
encrypting DNS traffic to protect against unauthorised inspection. NIST also highlights basic hygiene that is often overlooked: monitoring for look
‑
alike domains used in fraud and phishing,
and regularly identifying and removing outdated or unused DNS records that can be repurposed as entry points by attackers. Together, these practices make it significantly harder to tamper with DNS data or to exploit gaps in DNS configuration.
Third, NIST stresses the need to secure DNS infrastructure so that it remains available and trustworthy even under attack. Because DNS is essential to almost every networked service, its failure can have outsized operational and financial impacts. The guidance encourages separating DNS services from other core systems to limit the blast radius of a compromise, hardening DNS servers by closing unnecessary ports and services and applying timely patches, and engineering high availability and redundancy so that services can withstand Distributed Denial of Service (DDoS) attacks and other disruptions. Continuous monitoring of DNS traffic for abnormal behaviour is presented as a key element of this resilience, enabling operators to detect and respond to attacks in real time.
These principles are also embedded in other regulatory frameworks. The European Unions’s
NIS2 regulation for critical infrastructure explicitly calls for applying
"
best practices for the security of DNS" and its technical
implementation
recommendations align to NIST’s guidance.
For
critical infrastructure regulations
, these NIST principles provide a clear, technology
‑
neutral benchmark: DNS controls should be capable of blocking malicious activity before it reaches
critical systems, assuring the integrity and confidentiality of name resolution, and maintaining service continuity even in the face of determined attack. Aligning future guidance with this Secure DNS model would help ensure that critical infrastructure operators treat DNS as
a core security control, rather than simply a supporting connectivity service
.
Recommendations for
Critical Infrastructure Cybersecurity
Looking ahead, we believe Secure DNS should be treated as a core element of
future critical infrastructure regulations
, not an optional extra. Several concrete expectations naturally follow from the threat picture and from emerging best practice, including NIST’s deployment guidance.
First, protective DNS should be recognised as a baseline control. In practical terms, this means that critical infrastructure operators use managed recursive resolvers that block access to malicious and newly observed domains in real time, log queries
and responses in a proportionate and privacy
‑
respecting way, and make this telemetry available to security teams and, where appropriate, to CSIRTs. Protective DNS intervenes at the very start of the connection, preventing users and systems from ever reaching known harmful infrastructure and providing high
‑
value indicators that can be used to contain incidents quickly – including in environments where endpoint tooling is uneven or difficult to deploy, such as legacy OT.
Second, encryption and integrity for DNS traffic should become the norm rather than the exception. Requiring
encrypted DNS
protects the confidentiality of queries and reduces opportunities for on
‑
path manipulation.
Third,
to reduce implicit trust and strengthen resiliency, DNS should not coexist with other mission
‑
critical services on the same system, because vulnerabilities in any additional software can be used to compromise DNS security and availability. For mission-critical functions, the infrastructure that hosts DNS services should be dedicated to that purpose, rather than co-hosting multiple mission-critical applications or services. This is known as "
separation of duties
."
Running core DNS functions on purpose
‑
built platforms reduces the blast radius of a compromise and limits the ways in which vulnerabilities in unrelated software can be used to disrupt DNS itself.
Fourth, DNS and IP address management data should be explicitly recognised as sources of asset and security telemetry. In many complex environments, DNS and IP allocation records are the only truly up
‑
to
‑
date view of which devices are present, where they sit in the network and which services they attempt to reach. Treating this data as a security signal – for example, by feeding it into SIEM/SOAR platforms – allows operators to maintain more accurate inventories, spot
unauthorised or unmanaged devices as soon as they start making DNS requests, and link suspicious DNS activity to specific assets for rapid containment.
Taken together, these expectations would give
critical infrastructure
operators a clear, outcome
‑
focused picture of what "good" looks like for Secure DNS, while leaving room for different technical implementations and service models as the underlying technology continues to evolve.
Outcomes
Embedding these Secure DNS principles in the future regulatory framework would have tangible benefits. It would
significantly improve the UK’s protection against DNS
‑
enabled fraud, scams, and cyber attacks,
reduce successful redirections to fraudulent and malicious destinations, disrupt command
‑
and
‑
control and data theft earlier in the attack chain, enhance asset visibility and detection of unauthorised devices, and strengthen the resilience of DNS services that underpin essential functions. Most importantly, it would bring DNS fully into
the UK
’s zero
‑
trust approach, ensuring that one of the most widely used and most abused protocols is treated as a security control rather than
simply background network infrastructure
.
For More Information:
Infoblox Threat Intelligence:
https://www.infoblox.com/threat-intel/
and criminal group’s link to European football sponsorships:
https://www.infoblox.com/news/news-events/press-releases/infoblox-exposes-chinese-cybercrime-syndicate-linking-european-football-sponsors-human-trafficking-and-a-trillion-dollar-illegal-gambling-economy/
Contact:
·
Craig Sanderson, Vice President, Principal Cybersecurity Strategist,
csanderson@infoblox.com
·
Coleman Mehta, Vice President, Global Public Policy and Strategy,
cmehta@infoblox.com
January 2026
Prepared 3rd February 2026
Footer links
A-Z index
Glossary
Contact us
Freedom of Information
Jobs
Using this website
Copyright
Privacy notice
Cookie policy
Cookie Manager