



Every time an employee opens a browser, runs a scheduled task, or a piece of malware phones home, it starts with a single DNS query. Yet in most Indian enterprise environments, DNS traffic flows unmonitored and unfiltered — an open highway that attackers have been exploiting for decades. In 2026, with threat actors increasingly tunnelling command-and-control (C2) traffic, ransomware callbacks, and data exfiltration payloads inside DNS packets, ignoring DNS security is no longer a calculated risk. It is an unacceptable blind spot.
This guide explains exactly how attackers abuse DNS, what DNS security controls look like in practice, and how Indian enterprises can deploy DNS filtering within their existing FortiGate infrastructure — or through a managed SOC — to close one of the most persistent gaps in enterprise defence.
DNS was designed for availability, not security. Port 53 UDP is allowed outbound on virtually every corporate firewall, on every VLAN, for every device. Unlike HTTP/S traffic, DNS queries rarely pass through a web proxy and are almost never deep-inspected by default. Attackers have known this for years, and their toolkits reflect it.
Indian enterprises operating under the DPDP Act 2023 and CERT-In’s April 2022 directions carry specific obligations that DNS security directly addresses.
CERT-In’s directions require organisations to maintain logs of all ICT systems including network devices, and to report incidents within six hours of detection. DNS logs are often the earliest forensic evidence of a compromise — the first C2 callback, the first DGA beacon, the first exfiltration tunnel. Without DNS logging, meeting the six-hour reporting window becomes nearly impossible because incident timelines cannot be reconstructed.
Under the DPDP Act, the obligation to implement “reasonable security safeguards” for personal data extends to the network layer. A DNS filtering solution that blocks known malicious domains before data can leave the network is a demonstrable, auditable control — exactly the kind of evidence a Data Protection Board investigation would expect to see.
Key compliance point: CERT-In’s directions mandate log retention for 180 days. DNS query logs from all devices — including BYO devices on guest Wi-Fi — should be captured, stored, and indexed for fast search during incident response.
DNS security is not a single product. It is a layered set of controls applied at different points in the DNS resolution chain. Here is how each layer works in an enterprise context:
The most impactful control is replacing the organisation’s recursive DNS resolver (typically a forwarding server or the ISP’s default) with a protective DNS service. PDNS evaluates every outbound DNS query against threat intelligence feeds, machine-learning classifiers, and category databases. Queries to known malicious domains, newly registered domains (NRDs), DGA-generated names, and high-risk categories (cryptomining, adult content, phishing kits) return a blocked response (NXDOMAIN or a sinkhole IP) before any TCP connection is ever attempted.
FortiGate’s FortiDNS and the integrated FortiGuard DNS Filtering service deliver this capability natively for networks already running Fortinet infrastructure. Policies can be pushed from FortiManager to every FortiGate in the estate — branch offices, data centres, remote access gateways — within seconds.
Response Policy Zones allow an enterprise’s internal authoritative DNS server (typically Windows DNS or BIND) to override responses for specific domains or domain patterns. An RPZ feed from a threat intelligence provider automatically poisons the local cache for malicious names — blocking them even for devices that bypass the corporate resolver by using hardcoded public DNS servers (a common malware evasion tactic).
FortiGate’s Application Control and DNS Filter profiles inspect DNS traffic at the network edge. This catches devices that attempt to use alternative resolvers (8.8.8.8, 1.1.1.1) by transparently redirecting all UDP/TCP port 53 traffic to the corporate resolver. It also enforces DNS-over-HTTPS (DoH) policy — blocking or redirecting DoH traffic that would otherwise bypass traditional DNS controls entirely.
Without logging, DNS filtering is a prevention-only control. Integrating DNS query logs with a SIEM (FortiSIEM, Splunk, or the SOC’s preferred platform) enables detection use cases that filtering alone cannot cover: slow-and-low DNS tunnelling that stays below volume thresholds, internal resolver queries from unexpected hosts, and retrospective hunting after an incident is declared.
Most enterprises delay DNS security because they fear disrupting business-critical applications. The following phased approach minimises risk while delivering value quickly.
Even enterprises that have invested in DNS filtering often leave gaps that a skilled attacker will find.
For enterprises that lack the in-house expertise to deploy and tune DNS security, a managed security provider should be able to demonstrate the following capabilities:
Security teams that treat DNS as boring plumbing — something the networking team manages, not the security team — are leaving one of the most valuable detection and prevention controls off the table. In environments where endpoints are increasingly mobile, cloud workloads span multiple providers, and attackers are under pressure to avoid traditional IOC-based detection, DNS traffic is often the clearest signal of malicious activity available.
The good news: DNS security is not a rip-and-replace project. For most Indian enterprises running FortiGate, the capability is already licenced. Activating it, tuning it, and integrating it with the SOC is a matter of weeks — not months — and the protection it provides against ransomware callbacks, data exfiltration, and phishing infrastructure is immediate and measurable.
PJ Networks’ 24/7 NOC and SOC teams specialise in deploying and managing DNS security controls for Indian enterprises — from FortiGuard DNS Filtering activation through SIEM integration and CERT-In-aligned incident response. If you want to understand where your DNS security posture stands today, reach out for a no-obligation network security assessment.