Nickey Mannya
Most of the organisations I work with across Southern Africa have invested seriously in security. Firewalls, endpoint protection, SIEMs, and regular reviews. At the same time, the conversations in boardrooms have matured; there’s real awareness, real budget, and real commitment to cybersecurity. And yet many of these same organisations are exposed in ways that won’t show up on any dashboard, not because they lack capability, but because they’re watching the wrong layer.
That layer is DNS.
The numbers make this harder to ignore. According to an IDC Market Perspective commissioned by Infoblox, DNS-based threat detection can block 60% of threats before the first malicious DNS query is ever made and 82% within the first 24 hours. The same research found that organisations using DNS for detection and response reduced their mean time to respond to incidents by 34%. These aren’t marginal gains. They reflect what becomes possible when a layer that carries signals about almost every threat, phishing, ransomware, command-and-control activity, is actually being watched.
Why? Because most of the time people aren’t looking.
The infrastructure nobody was asked to care about
DNS has stayed out of focus for a good reason: it doesn’t complain. It operates quietly in the background, directing every user, every application, every system to where it needs to go. Unlike a failed firewall or a slow endpoint agent, DNS rarely fails in ways that create immediate noise. So it doesn’t get treated as a security problem, it gets treated as plumbing.
Most people understand DNS as the Internet’s phonebook. You type a name, it returns an address. That framing is accurate enough, but it obscures the risk. Because if the phonebook is altered or the navigation is redirected, users still arrive somewhere. They just don’t arrive where they were supposed to. Whether through spoofing, hijacking, or manipulation, that trust can be exploited long before anyone realises something is wrong.
That’s the critical shift. DNS can be compromised while users and systems continue to function and operations appear entirely normal. And as South African businesses expand into hybrid and multi-cloud environments, DNS now sits at the centre of increasingly complex, distributed infrastructure, while, in many organisations, it remains completely outside active security monitoring.
When legacy thinking meets modern risk
Walk into enough environments, and you start to see a pattern. The infrastructure hasn’t evolved at the same pace as the organisation’s digital ambitions. Cloud adoption is layered on top of systems and practices designed for a very different era. There are new platforms, expanded digital services, but beneath all of it, the same foundational architecture, and the same underlying assumption: it’s always worked this way.
Yes, of course stability matters, but a mindset that is stuck in the dark ages carries a cost. Foundational services like DNS were not designed for today’s level of scale, complexity, or threat exposure. As environments become more distributed and interconnected, the assumptions that once held don’t hold in the same way.
While some clients are ensuring that transformation is visible at the surface, it’s often not reflected in the layers beneath it. And that is where the real risk lies.
Security doesn’t always start where you think it does
DNS typically sits with the network team and the security strategy is defined somewhere else. When a problem emerges at the DNS or network layer, a misconfiguration, a redirection, or deliberate manipulation, it’s rarely the first place anyone looks.
As threats become more subtle and environments more interconnected, that separation gets harder to sustain. The layer directing traffic across your network can’t remain isolated from the conversations defining how that network is secured.
For CIOs and technology leaders, the priority isn’t only how to respond once an attack escalates, but also recognising the indicators before it does. In many cases, those indicators are already there. Lookalike domains, suspicious email patterns, and unexpected redirects are often early signs of compromise and appear at the DNS layer first.
Addressing them consistently, through awareness, monitoring, and basic controls, can significantly reduce exposure. But that requires a shift in how infrastructure is framed. DNS is not a passive component. It should be part of an organisation’s active security posture, rather than assumed to be covered by the layers above it.
Earlier visibility, better decisions
The theme that tends to emerge in hindsight across many environments is the same: organisations needed to evolve ahead of risk, not in response to it. As digital scale increases, decision-making has to be grounded in what is observable rather than what is assumed.
That means separating signal from noise, distinguishing between emerging trends, real vulnerabilities, and operational priorities. The most immediate risks are often already present inside the environment, and DNS is still very much one of those areas.
The opportunity isn’t just risk reduction, it’s also visibility, which includes earlier detection, faster response, and the ability to make decisions based on what’s actually happening in your environment. The signals are often already there, in your DNS logs, in query patterns, in domains that almost match yours. The question is whether anyone is looking at that layer at all.
Nickey Mannya, Director for Cybersecurity and Next Generation Solutions at Westcon-Comstor Southern Africa. He writes in his personal capacity.
SUPPLIED.
