DNS Attacks (Cache Poisoning, DNS Spoofing, and Tunneling)

#Compromising the Internet's Phonebook#link

The Domain Name System (DNS) translates human-readable domain names into IP addresses. Because early DNS was designed without cryptographic validation, attackers can manipulate DNS responses, poison caches, redirect users to malicious websites, or even abuse DNS itself as a covert communication channel.

Cache Poisoning and the Kaminsky Attack

DNS cache poisoning occurs when an attacker floods a recursive resolver with forged DNS responses. If a forged response is accepted before the legitimate one arrives, the resolver may cache a malicious IP address for a trusted domain. In 2008, security researcher Dan Kaminsky demonstrated a large-scale attack that exploited weaknesses in DNS transaction ID and source port randomization, making cache poisoning far more practical than previously believed.

The presence of an RRSIG record indicates that DNSSEC signatures are available. A validating resolver can use these signatures to verify the authenticity and integrity of the DNS response.

DNS Tunneling and Data Exfiltration

DNS tunneling abuses DNS queries and responses to transport arbitrary data. Attackers often encode stolen information into subdomains such as secret-data.attacker.com. Because DNS traffic is commonly allowed through firewalls and network filters, this technique can be used to exfiltrate sensitive information from compromised environments.

• ▪Deploy DNSSEC on authoritative zones
• ▪Use DNS firewalls and filtering services
• ▪Monitor query entropy and unusual DNS patterns
• ▪Restrict outbound DNS traffic to approved resolvers
• ▪Enable source port randomization and modern resolver protections