Hackers Abuse Shared CDN Edge IPs to Bypass Protective DNS Filtering
Cybersecurity NewsArchived May 28, 2026✓ Full text saved
Hackers are increasingly abusing shared Content Delivery Network (CDN) infrastructure to bypass protective DNS filtering, according to new research from ADAMnetworks, which has identified a stealthy technique allowing malicious traffic to hide behind trusted domains. The method, dubbed “Underminr,” exploits gaps in how security systems validate DNS requests, TLS connections, and CDN edge routing, enabling […] The post Hackers Abuse Shared CDN Edge IPs to Bypass Protective DNS Filtering appeared
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Abuse Shared CDN Edge IPs to Bypass Protective DNS Filtering
By Abinaya
May 28, 2026
Hackers are increasingly abusing shared Content Delivery Network (CDN) infrastructure to bypass protective DNS filtering, according to new research from ADAMnetworks, which has identified a stealthy technique allowing malicious traffic to hide behind trusted domains.
The method, dubbed “Underminr,” exploits gaps in how security systems validate DNS requests, TLS connections, and CDN edge routing, enabling attackers to make connections that appear legitimate while secretly communicating with malicious destinations.
In observed cases, a user’s system resolves a trusted domain, such as whatismyipaddress.com, which is permitted by protective DNS (PDNS).
However, the actual encrypted connection is redirected to a different domain, like evilsite.ai, hosted on the same shared CDN edge IP.
Because many enterprise defenses rely on DNS reputation or initial TLS inspection, mismatches between DNS resolution and the final connection target often go undetected, creating a significant blind spot for defenders.
CDN Edge IPs Bypass DNS Filters
Unlike legacy domain fronting mitigated by major cloud providers around 2018, Underminr manipulates SNI and HTTP Host headers while using legitimate DNS responses, making detection and blocking far more difficult.
ADAMnetworks researchers observed that attackers can deploy this technique using simple scripts, malware, or even social engineering methods, such as ClickFix attacks, which trick users into executing commands locally.
Comparision (Source: Underminr)
Once active, the technique enables a wide range of malicious activity, including command-and-control (C2) communication, data exfiltration, VPN tunneling, and policy circumvention, all while appearing as normal traffic to trusted services.
The report outlines four main attack modes:
Simple Mode: Uses a deceptive SNI after a legitimate DNS lookup.
Split Mode: Establishes a benign connection first, then switches to a malicious one to evade DPI.
ECH Mode: Uses Encrypted Client Hello (ECH) to completely hide SNI details.
Direct-to-IP Mode: Bypasses DNS logging entirely by connecting directly to CDN edge IPs.
These techniques align with MITRE ATT&CK methods such as protocol tunneling and abuse of external remote services.
They have also been linked to advanced threat groups, including China-aligned actors like Flax Typhoon and GALLIUM, which use tools such as SoftEther VPN to maintain persistence and evade detection.
The broader impact is significant, as protective DNS, long considered a foundational security control, can be rendered ineffective without deeper traffic correlation.
ADAMnetworks warns that organizations relying solely on DNS filtering or partial TLS inspection are particularly vulnerable, especially in environments without full proxying or traffic decryption.
Direct to IP Mode (Source: Underminr)
To defend against Underminr, the company recommends correlating DNS queries with connection metadata and monitoring actual connection endpoints.
Additionally, a new threat intelligence-sharing initiative and an online scanning tool have been introduced to help organizations determine whether their domains are vulnerable or being abused.
As IPv4 exhaustion continues to push more services onto shared infrastructure, the risk of cross-tenant abuse is expected to grow, raising concerns that attackers and potentially AI-driven campaigns could scale this technique globally.
Without coordinated mitigation across CDN providers, domain owners, and security vendors, Underminr could significantly weaken trust in DNS-based defenses and reshape how network security is enforced.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Veeam Backup & Replication Tool Vulnerability Enables Privilege Escalation Attacks
Critical Chrome Vulnerabilities Enable Remote Code Execution Attacks – Patch Now!
New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems
Pentest Agent Suite – Bug Bounty Framework for Claude Code and 6 AI Coding Tools
ConnectWise Automate Vulnerability Let Attackers Bypass Security Checks
Latest News
Cyber Security News
Top 10 Best Mobile Application Security Testing (MAST) Tools in 2026
Cyber Security News
Top 10 Best Static Application Security Testing (SAST) Tools for Security Teams in 2026
Cyber Security News
Veeam Backup & Replication Tool Vulnerability Enables Privilege Escalation Attacks
Cyber Security News
Microsoft Warns Public Release of Zero-Day Details Before Vendor Coordination
Cyber Security
Critical Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code