Free dynamic DNS services were built to help home users and small businesses. Cybercriminals have found them equally useful for making phishing infrastructure nearly impossible to trace.
The domain name in a phishing email rarely points directly to an attacker’s server anymore. Instead, it routes through layers of legitimate infrastructure: dynamic DNS services, content delivery networks, cloud platforms, and traffic distribution systems. Each layer adds distance between the criminal and their crime, complicating takedown efforts and frustrating investigators.
Dynamic DNS services sit at the heart of many phishing operations. Originally designed to give users with changing IP addresses a stable hostname, these services now provide attackers with free, anonymous subdomains that can point to malicious servers one moment and disappear the next. The Interisle Consulting Group’s Phishing Landscape 2025 report found that 1.5 million domain names were used in phishing attacks between May 2024 and April 2025, a 38% increase and the highest number ever recorded. A significant portion of these exploited free subdomain services.
The ease with which attackers acquire and dispose of this infrastructure has fundamentally changed the economics of credential harvesting. When domains cost nothing and require no verification, there’s no friction preventing criminals from burning through thousands of them in a single campaign.
How dynamic DNS enables phishing at scale
Dynamic DNS services solve a legitimate problem. Home internet connections typically receive new IP addresses periodically from their internet service provider. For someone running a home server, game host, or security camera, this creates challenges: the address others need to reach them keeps changing. Dynamic DNS services provide a hostname that automatically updates to point at the user’s current IP address.
Attackers exploit this same functionality for different purposes. A criminal can create a subdomain like “secure-login.duckdns.org” in seconds, point it at a phishing site, use it in a credential harvesting campaign, then abandon it when the site gets flagged. Tomorrow, they’ll create “account-verify.duckdns.org” and continue operations.
The free tier offerings from these services require minimal verification. No credit card. No phone number in many cases. No meaningful identity check. Combined with the ability to change where a hostname points at any time, these services provide attackers with disposable, untraceable infrastructure.
ICANN’s enforcement data confirms the scale of the problem. Between April and October 2024, 38% of all ICANN abuse-related investigations involved DNS abuse. While many were resolved through informal channels, the volume indicates how central DNS infrastructure has become to cybercrime operations.
The bulk registration problem
The Interisle report revealed another troubling trend: 77% of all domain names used in phishing were maliciously registered by cybercriminals, a 36% increase year-over-year. Even more concerning, 37% of phishing domains were acquired through bulk domain registration services.
Bulk registration allows users to register hundreds or thousands of domains simultaneously, typically at discounted rates. For legitimate businesses, this enables efficient management of domain portfolios. For attackers, it enables phishing at industrial scale.
A criminal can register 500 slight variations of a popular banking brand’s domain in a single transaction. Most will never be used. But having them available means campaigns can launch instantly when opportunity arises, and blocking one domain simply shifts traffic to another.
The combination of bulk registration for traditional domains and free subdomains from dynamic DNS services creates a two-tier infrastructure. Bulk-registered domains provide the appearance of legitimacy; they have proper DNS records, can receive SSL certificates, and look like real websites. Dynamic DNS subdomains provide disposable landing pages that can be created and abandoned in minutes.
For organizations tracking threats against their brand, our analysis of lookalike domains examines how attackers systematically register variations to support impersonation campaigns.
Geographic distribution of phishing infrastructure
Despite the global nature of cybercrime, phishing infrastructure concentrates in specific locations. The United States hosts more than half of all phishing sites, a position it has held for five consecutive years according to Interisle’s research. This isn’t because American criminals are unusually active. Rather, U.S. hosting providers offer reliable, inexpensive infrastructure that attackers around the world exploit.
The geographic concentration creates both challenges and opportunities. On one hand, takedown requests face the complexities of U.S. legal requirements even when the attacker operates from another country. On the other hand, the concentration means coordination with a relatively small number of major hosting providers could meaningfully reduce phishing infrastructure availability.
Some attacks show clear geographic targeting. The “Smishing Triad,” a China-based operation, pivoted from impersonating toll road operators and shipping companies to targeting customers of global financial institutions. They now spoof major banks across North America, Latin America, Australia, and the Asia-Pacific region, operating approximately 25,000 active phishing domains during any eight-day period.
Detection and response challenges
Traditional security controls struggle with dynamic DNS abuse for several reasons.
URL filtering relies on maintaining lists of known malicious addresses. When attackers burn through subdomains faster than lists update, there’s always a window of vulnerability. The dynamic nature of these services means that by the time a subdomain gets flagged, it may already be abandoned.
Domain reputation systems can identify suspicious patterns, like newly created subdomains with unusual characteristics, but they face high false-positive rates. Legitimate users also create new dynamic DNS subdomains regularly.
Takedown efforts encounter resistance because the DNS provider may be entirely separate from the actual hosting infrastructure. Taking down a subdomain doesn’t affect the malicious server, which can be pointed to by a new subdomain within minutes.
Email security increasingly blocks messages containing dynamic DNS domains, but attackers adapt by using redirect chains that start with legitimate services. A link to a Google Docs page that redirects to a dynamic DNS subdomain evades many filters.
The 9-hour average detection time for fraud, combined with the hours or days required for takedowns, creates a substantial window for attackers. Our coverage of how AI-powered fraud has accelerated attack timelines examines this speed mismatch in detail.
What security leaders should consider
Addressing dynamic DNS abuse requires both technical controls and strategic coordination.
DNS-level visibility enables detection of connections to known dynamic DNS services. While blocking all such services creates usability problems (some employees may have legitimate uses), monitoring and alerting provides awareness of potential compromises.
Email authentication protocols including DMARC, DKIM, and SPF reduce spoofing of your domain, though they don’t prevent attackers from using lookalike domains with dynamic DNS subdomains.
Threat intelligence integration with real-time feeds of known malicious subdomains improves detection, though the ephemeral nature of these threats limits effectiveness.
User awareness about the limited trustworthiness of unfamiliar domains, even those using HTTPS, remains valuable despite its limitations against sophisticated attacks.
Industry coordination with dynamic DNS providers could improve accountability, though the legitimate use cases and competitive pressures make this challenging to implement effectively.
The Bottom Line
Dynamic DNS services represent a classic dual-use technology problem. The same features that make them useful for legitimate purposes make them equally valuable for attackers. The 38% of ICANN abuse investigations involving DNS abuse, the 1.5 million domains used in phishing, and the 77% malicious registration rate all point to infrastructure that criminals have systematically co-opted.
For organizations protecting their brands and customers, the implication is that domain-based defenses face fundamental limitations. When attackers can create and discard infrastructure in minutes, detection and response must operate at similar speeds. The traditional approach of identifying, investigating, and removing phishing infrastructure needs augmentation with proactive monitoring that identifies attack preparation, not just attack execution.
Key Takeaways
The Interisle Phishing Landscape 2025 report found 1.5 million domain names were used in phishing attacks between May 2024 and April 2025, representing a 38% increase and the highest number ever recorded.
77% of all domain names used in phishing attacks were maliciously registered by cybercriminals, a 36% increase year-over-year. Additionally, 37% were acquired through bulk registration services that enable mass domain acquisition.
The United States hosts more than half of all phishing sites globally and has been the top hosting location for five consecutive years. This reflects the availability of reliable, inexpensive hosting infrastructure rather than the location of attackers.
Attackers create free subdomains that require minimal verification, point them at phishing sites, use them in campaigns, then abandon them when flagged. The lack of identity verification and ability to change DNS records instantly makes these services ideal for disposable attack infrastructure.
Between April and October 2024, 38% of all ICANN abuse-related investigations involved DNS abuse, highlighting how central DNS infrastructure has become to cybercrime operations.
