COMMENTARY: DNS filtering matters. The threats described in this article aren’t abstract. They’re the kinds of attacks MSPs are already seeing, where signatures fail, and domains change faster than tools can track them. The article makes a strong case that DNS is still a practical control because so much malware depends on it to function. The bigger point is about expectations. DNS filtering isn’t an extra anymore. It’s a baseline, and MSPs that treat it that way are better positioned to protect clients and maintain trust.
With polymorphic malware now using large language models to autonomously rewrite code, and
with 140% growth in newly weaponized domains, traditional signature-based defenses no longer suffice. Supply chain compromises—like npm package takeovers—are further amplifying the risks for managed security providers’ (MSPs) clients.
For MSPs today, maintaining client trust and business continuity hinges on providing top-notch, next-generation protection. DNS filtering is core to this protection, and it remains just as relevant as ever. These converging trends are reshaping the attack surface, and DNS-layer defenses are now a frontline requirement. For MSPs, the opportunity lies in positioning DNS filtering as an indispensable zero-day protection tool, reinforcing their role as trusted advisors in an era where static lists and legacy tools fall short.
Shifting threat landscape and emerging new threats
Attackers are forever inventing ways to achieve their goals. New, sophisticated attacks are emerging, like polymorphic malware and AI weaponization. Recent attacks have demonstrated the power of polymorphic malware that autonomously rewrites its code to evade detection and signature-based defenses. Threat actors can leverage open-source LLM frameworks—such as Ollama (an open-source API that interfaces with large language models) bundled with an OpenAI open-weights model—to create malware capable of rapid mutation, self-improvement, and context-aware exploitation in real time.
PromptLock is another example. This new breed of autonomous, adaptive malware is capable of infiltrating systems, persisting undetected, and launching targeted campaigns without human intervention, forcing defenders to adopt advanced behavioral and AI-powered detection approaches.
Standard endpoint detection and response (EDR) and antivirus solutions rely on predefined behavioral patterns, static rules, and known signatures to identify threats. Yet PromptLock and similar AI-driven malware are able to change their code, communication patterns, and execution paths continuously and in real time. This enables the malware to avoid being matched to any known predictable behavior or signature.
Malware this adaptable and dynamic can hide amidst legitimate processes, disable or elude local agents, and even improve future attacks by learning from defensive responses. Consequently, traditional endpoint detection and response (EDR) and antivirus systems—intended to find known or semi-predictable threats—get easily outwitted unless they are bolstered with ongoing threat hunting and anomaly detection, as well as AI models with the capacity to identify minor changes from baseline activity.
Then there’s the domain deluge: the rise in new domains that are being weaponized. Bad actors use short-lived and repurposed domains to bypass detection. With the use of domain generation algorithms, they’re able to churn out thousands, sometimes tens of thousands, of random domain names every day.
Static blocklists can’t keep up with the massive volume and quick turnover of malicious domains. Bad actors register and abandon domains within hours, easily staying ahead of lists that rely on known threat data. Thus, by the time a domain is added to a blocklist, it’s often already been replaced. This leaves gaps that DNS filtering must fill with real-time threat intelligence and adaptive analysis.
Supply chain compromises also present a challenge. npm and GitHub repository takeovers lead to thousands of compromised packages. When a widely used open-source package gets compromised, each organization and application that relies on it inherits that vulnerability. One poisoned update can travel through the whole software supply chain, compounding risk across countless downstream environments and users.
Where DNS fits in and why it matters
Malware uses DNS as an entry point. It typically uses DNS to reach its command-and-control center or send data back to attackers. While estimates vary, at least three-quarters of malware uses the DNS system in some way; the Center for Cybersecurity and Law puts that figure at 92%.
The good news is that DNS filtering can block attacks.
In one incident, the DNSFilter team observed that several people were inadvertently running a command shell in their Windows terminal, and that command attempted to reach a server to download malware. The attempt failed because it was blocked.
DNS filtering is an important part of the layered security approach MSPs need to provide to their customers. DNS filtering can block threats even before signatures, patches, or updates exist. It complements endpoint, email, and firewall protections. For MSPs, DNS must be a baseline layer, not an optional add-on—and it’s important to work with partners who can provide strong DNS filtering. As evolving threats render signature-based defenses insufficient and supply chain risks magnify exposure, DNS filtering can become a competitive offering for MSPs. In fact, there’s an opportunity to grow revenue and trust by bundling DNS filtering as a non-negotiable baseline service.
Moving forward for success
The sophistication and speed with which adversaries create and launch threats leave legacy security solutions in the dust. Polymorphic malware, malicious domains, and supply chain compromises require additional cybersecurity support. Consequently, defense at the DNS layer has become a necessity. MSPs can educate clients on this required functionality and ultimately use it as a strategic advantage.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
