Post-Quantum Cryptography Is Coming, but Your DNS Might Not Be Ready
The transition to Post-Quantum Cryptography (PQC) introduces significantly larger cryptographic signatures, such as ML-DSA, which will force DNS responses to exceed standard UDP packet limits. This architectural shift will cause frequent fallbacks to TCP, introducing latency spikes and silent timeouts that pose a severe operational risk to automated, high-volume systems like agentic AI workflows. Furthermore, adversaries are already conducting 'Harvest now, decrypt later' attacks, underscoring the immediate need for organizations to map and secure their DNS and DNSSEC configurations across distributed cloud environments.
Detection / HunterGoogle
What Happened
The transition to new, quantum-resistant encryption methods is going to make digital signatures much larger than they are today. This size increase means that standard internet address lookups (DNS) will no longer fit into small, fast data packets, forcing systems to use slower connection methods. This slowdown can break automated systems and AI agents that rely on lightning-fast responses to function properly. Because attackers are already recording encrypted traffic today to break it in the future, organizations need to immediately map out their internet infrastructure and prepare their systems for these larger, heavier encryption standards.
Key Takeaways
- Post-quantum cryptography (PQC) introduces significantly larger signature sizes (e.g., ML-DSA), breaking the DNS assumption that responses fit within a single UDP packet.
- The shift to larger signatures will force frequent fallbacks to TCP, causing latency spikes and silent validation time-outs.
- Adversaries are actively conducting 'Harvest now, decrypt later' attacks to collect encrypted DNS records for future exploitation.
- Agentic AI workflows are particularly vulnerable to these latency spikes due to their reliance on rapid, high-volume DNS queries.
- Organizations must map their existing DNS configurations and cryptographic exposures to achieve true crypto-agility.
Affected Systems
- DNS Infrastructure
- DNSSEC
- Agentic AI Workflows
- Distributed Cloud Environments
Attack Chain
Adversaries are currently conducting 'Harvest now, decrypt later' operations by intercepting and storing encrypted DNS and network traffic. Once quantum computing matures, they intend to decrypt this historical data to uncover application use patterns, internal architecture, and organizational dependencies. In the future, attackers with quantum capabilities could forge DNSSEC signatures to redirect traffic at scale, bypassing current cryptographic protections.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article discusses architectural and cryptographic risks related to PQC and DNS, but does not provide specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: None — The risks described are entirely network-based (DNS, TCP fallbacks, cryptographic signatures) and do not involve endpoint execution or malware. Network Visibility: High — Network sensors and DNS logs can monitor for increased DNS over TCP traffic, UDP truncation flags, and DNSSEC validation failures. Detection Difficulty: Moderate — Detecting the shift from UDP to TCP for DNS is straightforward, but distinguishing legitimate PQC-induced fallbacks from malicious or anomalous behavior requires baseline profiling.
Required Log Sources
- DNS Query Logs
- Network Flow Logs
- Passive DNS
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Monitor for a significant increase in DNS responses with the Truncation (TC) bit set, followed by DNS over TCP requests, indicating potential issues with large cryptographic signatures or misconfigurations. | DNS Query Logs, Network Flow Logs | Command and Control | High (Legitimate large DNS responses, such as those containing many TXT records or large DNSSEC keys, will also trigger this behavior) |
Control Gaps
- Lack of unified DNS visibility across distributed cloud environments
- Inability to inspect or validate future quantum-forged DNSSEC signatures
Key Behavioral Indicators
- Increased rate of DNS UDP truncation (TC bit)
- Spikes in DNS over TCP traffic
- Silent DNSSEC validation timeouts
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Audit existing DNS infrastructure to identify orphaned records, dangling CNAMEs, and abandoned subdomains.
Infrastructure Hardening
- Evaluate whether your current DNS infrastructure and third-party providers can support the operational shift to larger signature sizes and frequent TCP fallbacks.
- Map cryptographic dependencies across your distributed cloud estate to identify domains relying on vulnerable RSA or ECDSA-based DNSSEC signatures.
- Consolidate DNS visibility to ensure a unified view of configurations across AWS, Azure, Google Cloud, and third-party providers.
User Protection
- Consider implementing robust monitoring for automated and agentic AI workflows to detect silent timeouts caused by DNS resolution delays.
Security Awareness
- Educate engineering and architecture teams on the operational impacts of Post-Quantum Cryptography (PQC), specifically regarding network latency and protocol fallbacks.
MITRE ATT&CK Mapping
- T1040 - Network Sniffing
- T1565.002 - Data Manipulation: Transmitted Data Manipulation
