DNS Security Landscape: Threats and Vulnerabilities

Every DNS resolver on the internet is a public service, by design. Anyone can send it a query. The response goes wherever the source IP says to send it. The protocol was built on the assumption that everyone is acting in good faith.

That assumption has been wrong for decades.

Understanding DNS security starts with understanding why attackers care about DNS. DNS isn't just a phone book. It's the entry point to your infrastructure. Compromise DNS, and you own the front door. Not the lock. The entire address of the building.

Why DNS Is a High-Value Target

When an attacker controls DNS responses for your domain, they can:

Redirect your users to their servers (phishing, credential harvesting)
Intercept email by redirecting your MX records
Obtain TLS certificates from CAs that use DNS-01 challenges
Cause complete service outages by deleting records or redirecting traffic to a black hole

DNS hijacking isn't a stepping stone to the real attack. DNS hijacking is the attack.

Beyond targeted attacks on specific domains, DNS infrastructure itself is valuable for two reasons: amplification (DNS servers are excellent DDoS amplifiers) and resolution (a poisoned resolver can silently redirect millions of users).

The Threat Map

Here are the categories of DNS attacks, ordered roughly by frequency in the wild.

1. Amplification Attacks (High Volume, Daily Occurrence)

Attackers send small DNS queries with a spoofed source IP (your target's IP). The DNS server sends a large response to that IP. With the right query type (historically ANY records, now DNSKEY or HTTPS), amplification factors reach 50-70x.

A 100 Gbps botnet becomes a 5-7 Tbps attack with a single hop through open resolvers.

This happens every day at scale. Cloudflare's DDoS report for Q3 2024 tracked DNS amplification as one of the top three UDP flood techniques. If you run an open resolver, you are almost certainly being used for this right now.

2. Cache Poisoning (Medium Frequency, High Impact)

A resolver caches a forged answer and serves it to all subsequent users. Before the Kaminsky patch in 2008, this was straightforward. After the patch (source port randomization), it became harder but not impossible.

In 2021, the dnspooq set of vulnerabilities (CVE-2020-25681 through CVE-2020-25687) affected dnsmasq, which runs on a lot of home routers and embedded systems. Cache poisoning came back in a serious way.

The impact: every user hitting the poisoned resolver gets the wrong answer. One poisoned enterprise resolver can redirect thousands of employees.

3. Domain Hijacking (Lower Frequency, Catastrophic Impact)

Not a protocol attack. An attacker takes control of a domain through the registrar. Could be credential theft, social engineering, or exploiting weak registrar account security.

The Sea Turtle campaign (documented by Cisco Talos in 2019, active from 2017 onward) hijacked DNS for government agencies, telecoms, and ISPs across 13 countries. They redirected traffic at the registrar level, let TLS certificates be issued for the hijacked domains, then silently intercepted traffic. Nation-state sophistication, registrar-level access.

This doesn't touch the DNS protocol at all. It's an identity and access management problem with DNS consequences.

4. DNS Tunneling (Medium-Low Frequency, Targeted)

DNS queries can carry arbitrary data. An attacker who has code execution inside your network can exfiltrate data or maintain a C2 channel using nothing but DNS queries. Your firewall almost certainly allows them.

The technique: encode data in the subdomain portion of queries sent to an attacker-controlled nameserver. The attacker's nameserver logs the subdomains = data exfiltrated. Responses can carry inbound data in TXT or NULL records.

Tools like dnscat2, iodine, and dns2tcp make this straightforward. Detection requires query log analysis looking for high query rates to unusual domains, long subdomain strings, and high entropy in subdomain labels.

5. Fast-Flux DNS (Medium Frequency, Infrastructure-Level)

Malware C2 infrastructure and phishing sites use fast-flux to make takedown difficult. A domain's A records cycle through dozens or hundreds of IP addresses, often with 60-second TTLs. The actual attack infrastructure is spread across a botnet.

Single-flux: the A records rotate. Double-flux: the NS records also rotate, making it nearly impossible to kill at the DNS level without action from the registry.

This doesn't attack your DNS. It uses DNS as evasion infrastructure. You encounter it when you're trying to take something down, or when you're analyzing malware.

6. NXDOMAIN Attacks (Increasing Frequency)

Also called "random subdomain attacks" or "DNS water torture." An attacker sends massive volumes of queries for random subdomains of your domain: a8f72j.example.com, xk19qa.example.com, etc.

Your authoritative nameserver has to process every query and respond NXDOMAIN. Unlike amplification, this attacks the authoritative server rather than using it. The goal is to exhaust your nameserver's resources.

Mirai variants incorporated this technique. It's particularly nasty for organizations running their own authoritative DNS.

Rare vs. Common

To calibrate your risk assessment:

Happens constantly (automate defenses, monitor logs):

Amplification attempts against your resolvers
Reconnaissance queries (ANY, AXFR attempts)
NXDOMAIN floods if you're a visible target

Happens regularly, targeted (monitor, have an incident plan):

Credential attacks against registrar accounts
Cache poisoning attempts against older resolver software
DNS tunneling on compromised endpoints

Rare but catastrophic (policy and process defenses matter most):

Nation-state domain hijacking campaigns
Registry-level attacks
BGP + DNS combined hijacks

The hard truth: most DNS security incidents are not sophisticated protocol exploits. They're registrar account takeovers, misconfigured resolvers used for amplification, and outdated resolver software with unpatched vulnerabilities. Fix the basics before worrying about the advanced stuff.

Key Takeaways

DNS is a target because controlling it means controlling traffic, not just names
Amplification attacks are the most frequent DNS security event by volume
Domain hijacking operates outside the protocol. It's an identity problem.
Fast-flux and tunneling use DNS as evasion/exfiltration infrastructure
Most DNS security failures are operational (misconfiguration, unpatched software, weak account security) not protocol exploits

Up Next

Lesson 02 digs into amplification attacks: the exact mechanics, the amplification math, how attackers find open resolvers, and how to shut your resolver off as a weapon.