Security

How DNS stops cryptojacking

DNS may be the most reliable way to detect and eliminate cryptojacking cybercrime at an enterprise level. Learn how BlueCat Edge can help.

Last updated: September 15, 2025

An avatar of the author
BlueCat
Physical cryptocurrency coins and memory card representing cryptomining targets in DNS-based cryptojacking attacks
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article explains how cryptojacking — unauthorized use of remote computing power to mine cryptocurrency — has risen to surpass ransomware as a primary malware threat because it is more profitable, stealthy, and easier to propagate. In enterprise and IoT environments cryptojacking is difficult to detect with conventional filters, firewalls, and ad blockers, but always requires outbound communication that makes DNS a reliable detection and mitigation point. Using a client-facing DNS security solution like BlueCat Edge, organizations can trace cryptomining DNS queries to specific devices in real time, block malicious communications, and monitor remediation to restore operational performance and prevent reinfection.

Why has cryptojacking become more attractive to attackers than ransomware?

Cryptojacking has become more attractive because it offers greater and steadier profit with lower risk of detection and remediation. Unlike ransomware, which requires victims who can or will pay and can be mitigated by backups or decryption tools, cryptojacking quietly uses victims’ compute cycles for mining and often just causes performance degradation that users dismiss as slowness. It is also simpler for attackers to deploy — malicious JavaScript and lightweight mining code can be embedded in compromised websites, mobile, and IoT devices — and can run continuously without needing ransom payments or interaction.

Why are traditional security controls like firewalls and ad blockers insufficient to stop cryptojacking?

Firewalls, filters, and ad blockers can block many known cryptomining payloads and prevent mining results from reaching external servers, but they often lack visibility into DNS-based command-and-control and cannot identify the source IPs of infected devices. They may treat symptoms by blocking payload data based on blacklists but fail to stop DNS queries used to orchestrate mining or to locate the compromised endpoint. This leaves devices infected and consuming resources even when outward mining traffic is partially blocked, so remediation and source identification remain unresolved.

How does BlueCat Edge use DNS to detect and remediate cryptojacking on a network?

BlueCat Edge monitors client-facing DNS traffic in real time to detect queries to domains associated with cryptomining services (for example Coinhive and Coinimp). By logging comprehensive DNS activity, it enables rapid association of malicious queries with individual device IPs so administrators can target remediation. Additionally, BlueCat Edge can enforce security policies to block the full range of communications between cryptomining software and remote servers and continue monitoring post-remediation to ensure malicious activity has stopped, restoring operational performance.

Cryptojacking – the use of remote computing power to mine cryptocurrency – wasn’t always a threat. Just a few months ago, online news outlets openly declared their intention to use the computing power of site visitors to generate Bitcoin, Ethereum, Monero, and other digital currency. The incentive: to replace lost ad revenue. Given that Bitcoin mining generates about 12.5 BTC every 10 minutes, or over $80,000 at today’s value, that’s about $4.2 billion year.

However, once this idea caught on with criminals, cryptojacking quickly morphed into a serious cybersecurity problem and has begun to overtake ransomware as the more attractive form of malware.

Ransomware dominated as the most prevalent threat over the past few years, but has declined recently in favor of cryptojacking malware. Ransomware also requires a victim that can afford to or is willing to pay to retrieve their files. With new tools to prevent ransomware or services to decrypt files, and the cost of backup storage decreasing, the success of a ransomware attack has started to become less likely.

However, the profit potential with cryptojacking is greater and less likely to be discovered — victims generally just think their computer is running slower. There’s also a lot more simplicity on the cryptojacker’s end – it’s relatively easy for cybercriminals to embed javascript code and other cryptojacking code in the websites they compromise.

Now there are stories of entire networks slowing to a crawl as malware mines in the background, devices catching fire because their CPUs are overtaxed, and gaming software serving as a cover for cryptocurrency scams.

The role of DNS in cryptojacking

Most filters, firewalls, and ad blockers have been reprogrammed to stop common cryptomining malware and browser extensions like Coinhive. Unfortunately, this hasn’t done much to stop the spread of cryptomining on mobile and other IoT devices, many of which are easily compromised through hard-coded credentials and the use of unsecured public networks.

Finding and eliminating the source of cryptojacking can be difficult – it can be hiding just about anywhere on the network. Yet all cryptojacking attempts do have one thing in common: they have to communicate out.

DNS may be the most reliable way to detect and eliminate cryptojacking at an enterprise level. Filters, firewalls, and ad blockers can stop some communication with remote servers or identify malicious payloads, but often lack insight into the source IP and are unable to deal with infected IoT devices.

With a client-facing DNS security system like BlueCat Edge, cryptojacking can be easily traced to a source device in real-time and blocked until the device has been cleansed. Perhaps just as importantly, BlueCat Edge can monitor those devices after remediation to ensure that the malicious activity has stopped.

Mitigating cryptojacking on a customer network

BlueCat Edge recently helped a BlueCat customer discover and remediate wide-scale cryptojacking on its network. After installing BlueCat Edge, the customer was able to quickly identify multiple DNS queries of sites associated with known crytojacking software such as Coinhive and Coinimp. The mining operations were highly coordinated and targeted, occurring largely at times of day where use of computing resources were low and the activity was less likely to be discovered.

The customer’s existing firewall settings were able to treat the symptoms of cryptojacking, but not eliminate the underlying problem. The firewall effectively blocked execution of the cryptomining results back to the remote server based on blacklists applied to payload data. Yet the firewall failed to block DNS-based command and control functions, and was unable to identify the source IP of infected devices. The clients were still infected and using up valuable computing resources, even if the results of that compute weren’t making it to the outside internet.

With the comprehensive client-facing logs produced by BlueCat Edge, the customer was able to quickly associate cryptojacking activity with individual devices and direct its remediation activity accordingly. With the security policy functions of BlueCat Edge, the customer will be able to disrupt the full range of communication between the cryptojacking software and remote servers.

Staying one step ahead

The presence of multiple layers of cryptojacking on the customer network suggests that this is an evolving threat in which malicious actors will use a variety of methods to infiltrate and exploit large networks. Thankfully, the ubiquitous nature of DNS and its central role in exfiltration of cryptomining data allows BlueCat Edge to quickly identify and mitigate against this growing threat.

Learn more about how to make DNS your first line of defense.

Published in:

Security

Published on: August 9, 2018

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more