What are DNS attacks and defenses?

The Domain Name System (DNS) is the phonebook of the Internet. DNS servers provide the path through which Internet devices can look up web servers to access web content. The DNS translates human-readable domain names to computer-readable IP addresses.

An example of this translation is as follows:

Translation from domain name to IP address

A few relevant properties of DNS are as follows:

  • DNS is path-critical

  • DNS employs caching to minimize lookups

Threats related to DNS might include eavesdropping (an attacker can observe the DNS queries) or manipulation (an attacker can manipulate queries).

The illustration below shows these threats:

DNS Attacks

DNS spoofing

In this attack, the attacker modifies the DNS records to redirect the online traffic to a malicious website resembling the intended website.

The attacker can achieve this by associating a malicious IP address of their choice to a known domain name. This altered mapping of the domain known to a new IP address is saved in the DNS cache and can persist for seconds, weeks, or even months, referred to as cache poisoning.

Once the user enters the malicious website, this allows the attacker to steal the user’s private information or login credentials. Additionally, the attacker can cause the malicious website to install malware on the user’s computer.

Defenses

A relevant defense against DNS spoofing is bailiwick checking. Only the DNS records from the domain of the name server queried by the user are accepted. So, for example, if a name server queried is edu.pk, they only receive the additional DNS records from *.edu.pk.

Blind spoofing

An attacker who cannot eavesdropobserve the DNS queries, like the attack mentioned previously is an off-path attacker. The blind spoofing attack involves guessing the identification number, one of the fields necessary in the DNS protocol.

The attacker generates a series of bogus name lookups, each with a different identification number, to win the race against the legitimate reply from the DNS Server. The attacker successfully poisons the cache and can now redirect the users to alternate servers, rather than the intended ones.

Defenses

The primary defense against blind spoofing uses identification numbers difficult to guess (using a 32-bit identification number instead of a 16-bit one).

Generally, the most effective defense against DNS Attacks is the DNSSECDomain Name System Security Extensions protocol. This protocol adds more authentication layers that help protect against DNS spoofing.

To find out more about DNSSEC, click here.

Free Resources

Copyright ©2025 Educative, Inc. All rights reserved