Adv. Shoeb Hakim

DNS Security: The Underappreciated Risk Exposed by Vercel and Solana

Adv Shoeb Hakim

DNS Security Risk DNSSEC vulnerabilities in cloud infrastructure.

Nearly four years after a high-profile breach, critical endpoints remain unsigned by DNSSEC. The chain of trust is broken.

Introduction

The Critical Gap: Nearly four years after the 2022 Solana breach, key DNS endpoints managed by Vercel remain unsigned by DNSSEC.

The Technical Risk: Unsigned zones break the chain of trust, making DNS responses unverifiable and susceptible to cache poisoning.

Regulatory Shift: 2026 guidance from NCSC and NIST now explicitly categorizes DNS as critical infrastructure.

The Assumption Trap: Organizations often mistakenly assume cloud or edge providers (like Vercel) secure the DNS layer by default.

In 2022, Solana suffered a high-profile breach. The attention focused on wallets and application-layer vulnerabilities. The underlying infrastructure dependencies—particularly DNS—received almost no examination.

In 2026, a recent cyber incident involving Vercel has reignited scrutiny over DNS security. Follow-up analysis shows that Solana continues to rely on Vercel-managed DNS endpoints that remain unsigned by DNSSEC.

This creates a break in the chain of trust, leaving portions of resolution paths unverifiable. While this does not constitute an active exploit, it weakens protections against DNS-based attacks such as cache poisoning or traffic interception.

This is not a hypothetical concern. Both the National Cyber Security Centre (NCSC) and the National Institute of Standards and Technology (NIST) have, in 2026 guidance, reinforced DNS as critical infrastructure requiring end-to-end integrity.

The Solana 2022 Breach: What Was Missed

The incident: Solana suffered a high-profile breach in 2022.

The focus: Wallets and application-layer vulnerabilities.

What was missed: Underlying infrastructure dependencies—particularly DNS—received almost no examination.

The question: Could DNS weaknesses have contributed to the breach or enabled its execution?

The answer four years later: We still do not know enough, because DNS security was not properly examined.

The Vercel Incident (2026): Renewed Scrutiny

A recent cyber incident involving Vercel has brought DNS security back into focus.

The finding: Solana continues to rely on Vercel-managed DNS endpoints that remain unsigned by DNSSEC.

The implication: Nearly four years after the original breach, the same infrastructure weaknesses persist.

What Is DNSSEC and Why Does It Matter?

DNSSEC (Domain Name System Security Extensions): A suite of extensions that adds security to the DNS protocol by enabling DNS responses to be digitally signed and verified.

What DNSSEC does:

  • Ensures that the DNS response you receive is authentic
  • Prevents cache poisoning (sending false DNS records)
  • Prevents traffic interception (redirecting users to malicious sites)
  • Creates a chain of trust from the root zone to the final domain

What happens without DNSSEC:

  • DNS responses cannot be verified
  • Attackers can impersonate websites
  • Users can be redirected without their knowledge
  • The chain of trust is broken

The Current Risk: Unsigned DNS Zones

The finding:
Solana continues to rely on Vercel-managed DNS endpoints that remain unsigned by DNSSEC.

The risk:

  • Break in the chain of trust
  • Resolution paths unverifiable
  • Weakened protections against cache poisoning
  • Weakened protections against traffic interception

Important caveat:
This does not constitute an active exploit today. But it creates vulnerability that could be exploited tomorrow.

NCSC and NIST Guidance (2026)

Both the NCSC and NIST have, in 2026 guidance, reinforced DNS as critical infrastructure requiring end-to-end integrity.

The implications:

  • DNS is not just a technical detail
  • DNS security is national security
  • Organisations that fail to secure DNS are exposing critical infrastructure

The Broader Industry Problem

The assumption:
Major cloud and edge providers fully secure their DNS layers.

The reality:
Gaps persist. Unsigned DNS zones remain nearly four years after a major incident.

The question:
How many thousands of organisations remain exposed through inherited and enforced DNS weaknesses?

The concern:
How many incidents have gone undetected as a result?

Why DNS Weaknesses Go Unnoticed

ReasonExplanation
VisibilityDNS operates below the application layer. Many security teams never look at it.
Assumption“Our cloud provider handles security” is a dangerous assumption.
ComplexityDNSSEC implementation requires coordination across multiple parties.
Perceived low riskDNS attacks are less common than application attacks—but equally damaging.
Detection difficultyDNS-based attacks can be invisible to application-layer monitoring.

What Organisations Must Do

1. Audit DNS configurations

Do you know which DNS zones are signed and which are not? If not, you cannot assess your risk.

2. Implement DNSSEC

DNSSEC is not optional. NCSC and NIST have classified DNS as critical infrastructure requiring end-to-end integrity.

3. Question assumptions about cloud providers

Major cloud providers may not fully secure their DNS layers by default. Verify. Do not assume.

4. Monitor DNS traffic

DNS-based attacks can be invisible to application-layer monitoring. Deploy DNS-specific monitoring.

5. Treat DNS as critical infrastructure

Not a technical detail. Not a procurement issue. Critical infrastructure.

The Chain of Trust

The DNS chain of trust works like this:

  1. Root zone (signed)
  2. Top-level domain (signed)
  3. Authoritative name server (should be signed)
  4. DNS response (should be signed and verifiable)

When a link in the chain is unsigned, the chain of trust is broken.

In Solana’s case, Vercel-managed DNS endpoints remain unsigned, creating exactly such a break.

Q: Why is Solana’s reliance on unsigned Vercel DNS endpoints a problem in 2026?
Ans: Nearly four years after their major breach, using unsigned DNS zones means portions of the resolution path remain unverifiable. In light of new 2026 guidance from NCSC and NIST, this creates a significant compliance and security gap, making the network vulnerable to DNS-based attacks like cache poisoning.

Q: Does HTTPS replace the need for DNSSEC?
Ans: No. HTTPS ensures that the communication between you and the server is encrypted and authentic. However, if the DNS is compromised, your browser could be talking to an attacker’s server that has its own valid HTTPS certificate. DNSSEC ensures you are being sent to the correct IP address in the first place.

Q: How can I check if my organization’s DNS zones are signed?
Ans: You should conduct a DNS Security Audit. Tools can verify the “Chain of Trust” from the root zone to your authoritative name servers. If the chain is broken or unsigned, you must implement DNSSEC to meet 2026 infrastructure standards.

What does DNSSEC stand for?

  • Ans: Domain Name System Security Extensions.

Which two organizations issued 2026 guidance classifying DNS as critical infrastructure?

  • Ans: NCSC (National Cyber Security Centre) and NIST (National Institute of Standards and Technology).

What type of attack does DNSSEC specifically help prevent?

  • Ans: Cache poisoning and traffic interception.

True or False: HTTPS protects the destination of a user’s web request.

  • Ans: False. HTTPS protects the data in transit; DNSSEC protects the destination resolution.

Conclusion

A recent cyber incident involving Vercel has reignited scrutiny over a long-standing but underappreciated risk: DNS security.

Back in 2022, Solana suffered a high-profile breach. Attention focused on wallets and application-layer vulnerabilities. Yet underlying infrastructure dependencies—particularly DNS—received far less examination.

Nearly four years later, Solana continues to rely on Vercel-managed DNS endpoints that remain unsigned by DNSSEC. This creates a break in the chain of trust, leaving portions of resolution paths unverifiable.

While this does not constitute an active exploit, it weakens protections against DNS-based attacks such as cache poisoning or traffic interception.

The concern is not hypothetical. Both the NCSC and NIST have, in 2026 guidance, reinforced DNS as critical infrastructure requiring end-to-end integrity.

The issue highlights a broader industry assumption: that major cloud and edge providers fully secure their DNS layers. The reality is gaps persist.

How many thousands of organisations remain exposed through inherited and enforced DNS weaknesses—and how many incidents have gone undetected as a result?

Adv. Shoeb Hakim
Cyber Security & Infrastructure Advisor

📌 Follow me on LinkedIn for daily cyber security insights: https://www.linkedin.com/in/shoebhakim

📌 Visit my website for more articles: www.shoebhakim.com

♻️ Share this article with your network.

Disclaimer: This article is for informational purposes only and does not constitute legal advice.

Hashtags: #DNSSEC #Vercel #Solana #CyberSecurity #DNS #NCSC #NIST #CriticalInfrastructure #ChainOfTrust #InfrastructureSecurity #CachePoisoning #TrafficInterception #DNSAttacks #ApplicationLayer #Wallets #CloudSecurity #EdgeProviders #UnsignedZones #EndToEndIntegrity #CyberIncident #BreachAnalysis #RiskAssessment #SecurityGap #InfrastructureDependency #SecurityAssumptions #IncidentDetection #SecurityMonitoring #CyberResilience #InfrastructureRisk #AdvShoebHakim DNSSecurityRiskDNSSECVercelSolana #CyberSecurity #InfrastructureSecurity #AdvShoebHakim #NIST2026 #NCSC #CriticalInfrastructure #DataIntegrity SolanaBreach #VercelIncident #DNSSEC #ChainOfTrust #Web3Security #CloudSecurity #NetworkHardening #ThreatIntelligence

Find

Latest Posts

Post Category

Find Us On: