DNS Basics & Common Attacks
Engineer/DeveloperSecurity Specialist
How DNS Resolution Works
When users type your domain, their request may traverse multiple trust points (flows vary by resolver caching, stub resolver config, and provider):
- Local device cache
- ISP/recursive DNS resolver
- Root nameservers
- TLD registry servers
- Your authoritative nameservers
Each step represents a potential attack surface where responses can be intercepted, modified, or poisoned. This multi-step process creates numerous opportunities for attackers to redirect users to malicious sites while their browser still shows the correct domain name.
Common Attack Vectors
- Social Engineering at Registrars: Attackers convince/bribe support staff they're legitimate owners using publicly available information
- Expired Domain Sniping: Domains that expire enter a grace period before becoming publicly available to anyone (note: grace/redemption periods differ per TLD)
- DNS Hijacking: Unauthorized changes to DNS records redirecting traffic to malicious servers
- Email Interception (MX tampering): Password reset attacks and communication interception
- DNS Tunneling: Encoding data within DNS queries for covert communication channels, often used for data exfiltration
- DNS Cache Poisoning: Injecting forged responses into a resolver's cache to redirect subsequent queries