The Domain Name System (DNS) is one of the most critical -- and most overlooked -- pieces of internet infrastructure. Every time you type a website address, DNS translates that human-readable name into the IP address your computer needs to make the connection. Because DNS is so fundamental, it is also a prime target for attackers.
How DNS Works (A Quick Review)
DNS is a hierarchical system that resolves domain names to IP addresses through a series of lookups:
- You type
example.cominto your browser. - Your device checks its local cache. If the answer is not there, it asks your configured DNS resolver (usually your ISP's or a public resolver like
1.1.1.1or8.8.8.8). - The resolver checks its cache. If it does not have the answer, it queries the root DNS servers, which direct it to the TLD (top-level domain) servers for
.com. - The TLD servers point to the authoritative DNS server for
example.com, which returns the actual IP address. - The resolver caches the result and returns it to your device.
This entire process typically happens in milliseconds. But at no point in traditional DNS is the response authenticated or encrypted -- and that is where the problems begin.
DNS Spoofing and Cache Poisoning
DNS spoofing (also called DNS cache poisoning) involves an attacker providing fake DNS responses to redirect victims to malicious IP addresses. Instead of reaching bank.com, you reach an attacker's server that looks identical to the real site.
The most famous example is the Kaminsky attack, demonstrated by researcher Dan Kaminsky in 2008. He showed that an attacker could flood a DNS resolver with forged responses for a domain, and if any response was accepted before the legitimate one arrived, the resolver's cache would be poisoned. Every user of that resolver would then be redirected to the attacker's server until the poisoned cache entry expired.
Kaminsky's disclosure led to emergency patches across the DNS ecosystem, including randomized source ports for DNS queries, making spoofed responses much harder to get accepted. But the fundamental vulnerability -- that DNS responses are not cryptographically signed by default -- remains.
DNS Hijacking
While spoofing targets the protocol itself, DNS hijacking compromises the DNS infrastructure:
- Registrar account takeover -- Attackers gain access to the domain registrar account (through phishing, credential stuffing, or social engineering) and change the domain's DNS records to point to their own servers. This has happened to major companies and cryptocurrency platforms.
- Router DNS modification -- Compromised home routers can have their DNS settings changed to point to attacker-controlled DNS servers. All devices on the network then receive poisoned DNS responses for targeted domains.
- ISP-level manipulation -- Some ISPs redirect DNS queries for non-existent domains to their own advertising pages. While not malicious in the traditional sense, this violates the DNS protocol and can interfere with security tools that rely on proper DNS error responses.
DNS Tunneling
DNS tunneling is a technique that uses DNS queries to smuggle data in and out of a network. Because DNS traffic is almost always allowed through firewalls -- it is essential for normal internet use -- attackers can encode data in DNS queries and responses to bypass security controls.
An attacker registers a domain and sets up a DNS server that can decode the hidden data. The compromised machine inside the target network sends DNS queries to subdomains like encoded-data-here.attacker.com. Each query looks like a normal DNS lookup but actually carries exfiltrated data. The attacker's DNS server decodes these queries and can also send commands back through DNS responses.
DNS tunneling is difficult to detect because DNS traffic is expected on every network. However, it tends to produce unusual patterns: high volumes of DNS queries, unusually long subdomain names, and queries to domains with no legitimate purpose.
Defenses Against DNS Attacks
DNSSEC (DNS Security Extensions)
DNSSEC adds cryptographic signatures to DNS responses, allowing resolvers to verify that a response has not been tampered with and actually came from the authoritative server. If a spoofed response fails signature verification, it is rejected. DNSSEC adoption has been growing but is still not universal -- many domains and resolvers do not support it.
DNS over HTTPS (DoH) and DNS over TLS (DoT)
Traditional DNS queries are sent in plaintext, visible to anyone on the network path. DNS over HTTPS (DoH) encrypts DNS queries inside HTTPS connections, preventing eavesdropping and making spoofing significantly harder. DNS over TLS (DoT) provides similar encryption using TLS directly. Both Firefox and Chrome support DoH, and you can enable it in your browser settings.
Use Reputable DNS Providers
Public DNS resolvers like Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) support DNSSEC validation and encrypted DNS. Quad9 additionally blocks known malicious domains, providing a layer of threat protection at the DNS level.
Monitor for DNS Changes
For organizations, monitoring DNS records for unexpected changes is essential. Services can alert you if your domain's DNS records are modified, and certificate transparency logs can reveal if someone has obtained a certificate for your domain -- a strong indicator of DNS hijacking.
DNS was designed in an era of trust. The security additions bolted on since then -- DNSSEC, DoH, DoT -- address the most critical weaknesses, but they require active adoption. Configuring encrypted DNS on your devices and router is one of the simplest, most impactful security improvements you can make.