Your domain has a good reputation. It resolves to a CDN edge IP that firewalls and protective DNS services trust. Security tools see traffic to your domain and wave it through. But what if an attacker could use that trust, your clean IP, your good name, to mask a connection to a completely different, malicious destination?
That's exactly what the Underminr vulnerability, disclosed by ADAMnetworks in May 2026, demonstrates. It's a technique that exploits how modern CDNs, shared hosting, and DNS interact, allowing adversaries to hide malicious connections behind legitimate domains. The scale is staggering: conservative estimates suggest over 58 million domains are vulnerable, and the expanded mapping puts the number closer to 88 million.
This isn't a theoretical attack. ADAMnetworks has confirmed observed abuse in the wild. The Underminr research specifically references SoftEther VPN as a deployment tool for these techniques, a tool used by Flax Typhoon, a China-aligned APT group that Microsoft has tracked since 2021 targeting government, education, and critical manufacturing organizations, primarily in Taiwan but expanding globally. The combination of CDN shared-edge abuse with nation-state tradecraft makes this a serious concern for any organization with domains on shared infrastructure.
How Underminr Works
To understand the vulnerability, you need to understand how CDNs handle traffic. When millions of websites sit behind a CDN like Cloudflare, Fastly, or Akamai, many of those websites share the same edge IP addresses. When your browser connects to 104.19.223.79, the CDN uses the hostname in the TLS handshake (the SNI field) or the HTTP Host header to figure out which customer's content to serve.
This shared infrastructure creates an exploitable gap. Here's the attack in its simplest form:
- A malicious application on a compromised endpoint performs a DNS lookup for
whatismyipaddress.com(a trusted, well-known domain) - The protective DNS resolver allows the query and returns the CDN edge IP:
104.19.223.79 - The malicious application connects to that same IP but sends a different SNI value:
evilsite.ai, which happens to be hosted on the same CDN - The CDN accepts the connection and serves content from
evilsite.ai - The attacker now has unrestricted connectivity for C2, data exfiltration, or payload delivery
From the network defender's perspective, all they see is a DNS lookup for a trusted domain followed by a connection to that domain's IP. Everything looks legitimate. But the actual content being served comes from a completely different, potentially malicious domain.
Four Attack Modes
The Underminr research identifies four distinct modes, each designed to defeat different security configurations:
Simple Mode targets environments protected by protective DNS (PDNS) and basic DNS enforcement. The attacker resolves a trusted domain, then connects to the same IP with a different SNI. Since the DNS query was allowed, the connection passes through.
Split Mode defeats environments that add Deep Packet Inspection (DPI) on the first packet of each flow. The attacker first opens a legitimate TLS connection using the trusted domain's SNI (satisfying the DPI check), then opens a second connection to the same IP with the malicious SNI.
ECH Mode exploits Encrypted Client Hello, where the inner SNI is encrypted and invisible to passive network inspection. If the DNS event is allowed, defenders cannot verify that the resolved name and the actual TLS destination match.
Direct-to-IP Mode bypasses DNS entirely. The malicious application connects directly to a known CDN edge IP (which is rarely blocklisted) with the malicious SNI. No DNS query is generated at all, leaving zero DNS telemetry for defenders.
How This Differs from Domain Fronting
Domain fronting, which major CDN providers largely mitigated by 2018, relied on a mismatch between the SNI (showing the trusted domain) and the HTTP Host header (containing the hidden domain). CDNs fixed this by requiring the SNI and Host header to match.
Underminr takes a different approach. The mismatch is between the DNS-resolved destination and the hostname the CDN edge actually routes. In domain fronting, the SNI showed the trusted domain. In Underminr's simple mode, the SNI shows the hidden domain, but the connection goes to an IP that was obtained from a DNS lookup for the trusted domain. The CDN accepts both because they're both legitimate tenants on the same shared edge infrastructure.
Why This Is a DNS Problem
At its core, Underminr is an attack on the trust model that underpins DNS-based security. Protective DNS services work on a simple principle: if a domain is known-good, allow the resolution; if it's known-bad, block it. This works when there's a one-to-one relationship between a DNS answer and the content that gets served.
But in a world where thousands of domains share the same CDN edge IPs, that one-to-one relationship doesn't hold. A DNS answer for trusted-bank.com returns the same IP as attacker-c2.com because both are hosted on the same CDN. The DNS layer can't distinguish between the two at the IP level.
This means that DNS monitoring and DNS record awareness become critical defensive tools. If you don't know what IPs your domains resolve to, which CDN infrastructure you share, and how your DNS records relate to the broader shared-hosting ecosystem, you have a blind spot that attackers are actively exploiting.
The Impact on Domain Owners
Here's the part that catches most organizations off guard: you don't have to be the attacker or the target to be affected. Your domain's reputation is collateral damage.
If your domain resolves to a shared CDN edge IP that also serves a malicious domain, your domain can be used as the "clean" side of an Underminr attack. An attacker resolves your domain to get the trusted IP, then uses that IP to reach their malicious service. In forensic analysis after a breach, your domain name appears in the DNS logs as part of the attack chain. Your reputation is being borrowed without your knowledge or consent.
The Underminr research classifies domains into three categories:
- Green: Current checks did not produce a positive Underminr result
- Yellow: Domain is vulnerable (shares edge IPs with other tenants) but doesn't appear in known abuse lists
- Red: Domain is vulnerable and appears in known abuse lists, meaning it has been actively used as cover for malicious connections
You can check your own domains at underminr.ai.
How DNS Assistant Helps
DNS Assistant provides several layers of visibility that are directly relevant to defending against Underminr-style attacks and understanding your domain's exposure in shared-hosting ecosystems.
A Record and IP Address Monitoring
DNS Assistant continuously tracks the A and AAAA records for all your monitored domains, alerting you whenever an IP address changes. This matters for Underminr because understanding which IPs your domains resolve to, and whether those IPs are shared CDN edge addresses, is the foundation of assessing your exposure. If your CDN provider migrates your domain to a new edge IP, or if an IP change puts you on a shared edge with different tenants, DNS Assistant alerts you to the change so you can assess the implications.
CNAME and CDN Chain Tracking
Many domains reach CDN edge IPs through CNAME chains (e.g., www.yoursite.com CNAME to yoursite.cdn-provider.net, which resolves to the shared edge IP). DNS Assistant resolves the full CNAME chain and tracks the ultimate target. Changes in your CDN routing, whether intentional or not, are surfaced immediately. This is important because Underminr vulnerability is a function of which CDN edge your domain lands on, and CNAME changes can shift that without warning.
Dangling DNS Detection
Dangling DNS records, where a CNAME or A record points to infrastructure you no longer control, are a related attack surface. If you decommission a cloud service but leave the DNS record pointing to it, an attacker can claim that service endpoint and potentially insert themselves into the same shared-edge ecosystem your domain occupies. DNS Assistant checks for dangling records across 22+ cloud provider fingerprints, identifying these risks before they're exploited.
CAA Record Monitoring
In shared-hosting environments, controlling who can issue TLS certificates for your domain is critical. CAA records restrict which Certificate Authorities can issue certificates for your domain, preventing unauthorized certificate issuance that could enable additional attack vectors on shared infrastructure. DNS Assistant monitors CAA records and alerts on changes.
NS Record and Delegation Validation
Your nameserver delegation is the root of your DNS trust chain. If your NS records are compromised, an attacker can redirect your domain's resolution entirely, potentially placing it on attacker-controlled infrastructure. DNS Assistant validates that your NS records match the expected delegation and alerts on any changes.
Comprehensive Change Alerting
Underminr attacks exploit the gap between what DNS says and what actually happens at the network level. DNS Assistant ensures you have complete visibility into everything DNS says about your domains: every record type, every change, every delegation. With alerts delivered via email, Slack, Microsoft Teams, webhooks, or SMS, your team is always aware of the current state of your DNS infrastructure.
What Organizations Should Do
1. Audit Your CDN Exposure
Check your domains at underminr.ai to understand whether they're vulnerable. If your domain shows as Yellow or Red, you have two options: work with your CDN provider to isolate your domain on dedicated infrastructure, or migrate to a hosting environment that isn't vulnerable.
2. Monitor Your DNS Records Continuously
Your A records, CNAME chains, and NS delegations determine which infrastructure your domain resolves to. Changes to any of these, whether authorized or not, can shift your exposure profile. DNS Assistant provides continuous monitoring and instant alerting for all record types.
3. Eliminate Dangling DNS Records
Abandoned CNAME records pointing to decommissioned services are a related attack surface that compounds the Underminr risk. DNS Assistant identifies dangling records across major cloud providers so you can remediate them before they're exploited.
4. Lock Down Certificate Issuance
Deploy CAA records to restrict which Certificate Authorities can issue certificates for your domains. In shared-hosting environments, unauthorized certificate issuance enables additional attack vectors. Monitor your CAA records with DNS Assistant to ensure the restrictions aren't weakened.
5. Understand Your DNS-to-Network Relationship
The Underminr vulnerability exists because DNS answers and network connections are evaluated separately. Defenders need to correlate DNS resolutions with actual connection destinations. The first step is knowing exactly what your DNS records say. DNS Assistant gives you that visibility across your entire domain portfolio.
6. Maintain Tight SPF, DKIM, and DMARC Policies
If your domain's reputation is being used as cover in Underminr-style attacks, the risk extends to email. Threat actors who associate your domain with malicious infrastructure may attempt email spoofing as part of broader campaigns. Strong email authentication policies, monitored by DNS Assistant, ensure that your domain can't be easily spoofed in related attacks.
The Bigger Picture
Underminr represents a fundamental challenge to the way modern internet security works. DNS-based filtering, which is a foundational element of enterprise security, assumes that allowing a DNS resolution means the resulting connection is to the resolved domain. In a world of shared CDN infrastructure, that assumption is broken.
The path forward requires defense in depth: correlating DNS resolutions with actual connections, monitoring DNS records for changes that shift infrastructure exposure, eliminating dangling records that expand the attack surface, and maintaining visibility into the full DNS chain from nameserver delegation through to the final IP address.
DNS Assistant provides the DNS visibility layer that makes this defense-in-depth approach possible. Continuous monitoring of every record type, real-time change detection, dangling DNS identification, WHOIS tracking, and configurable alerting give your team the information they need to understand and manage their DNS exposure.
Sign up at dnsassistant.com and get full visibility into your DNS infrastructure.
Top comments (0)