DNS attack

A DNS attack is an exploit in which an attacker takes advantage of vulnerabilities in the domain name system (DNS).

In order to understand how DNS attacks work, it is important to first understand how the domain name system works. DNS is a protocol that translates a user-friendly domain name, like, into the computer-friendly IP address

When an end user types the people-friendly domain name into a client’s browser, a program in the client’s operating system called a DNS resolver looks up’s numerical IP address. First, the DNS resolver checks its own local cache to see if it already has the IP address for If it doesn’t have the address, the resolver then queries a DNS server to see if it knows the correct IP address for DNS servers are recursive, which simply means that they can query each other to either find another DNS server that knows the correct IP address or find the authoritative DNS server that stores the canonical mapping of the domain name to its IP address. As soon as the resolver locates the IP address, it returns the IP address to the requesting program and caches the address for future use.

Although the DNS is quite robust, it was designed for usability, not security, and the types of DNS attacks in use today are numerous and quite complex, taking advantage of the communication back and forth between clients and servers. Typically, attackers take advantage of the plaintext communication back and forth between clients and the three types of DNS servers. Another popular attack strategy is to log in to a DNS provider's website with stolen credentials and redirect DNS records.

To lessen the chance of a DNS attack, server administrators should use the latest version of DNS software, consistently monitor traffic and configure servers to duplicate, separate and isolate the various DNS functions. To defend against DNS attacks, experts recommend implementing multifactor authentication when making changes to the organization's DNS infrastructure. Operations personnel should also monitor for any changes publicly associated with their DNS records or any digital certificates associated with their organization. Another strategy is to deploy Domain Name System Security Extensions (DNSSEC), which strengthens authentication in DNS by using digital signatures based on public key cryptography.

DNS attack vectors

Types of DNS attacks include:

Zero day attack – the attacker exploits a previously unknown vulnerability in the DNS protocol stack or DNS server software.

Cache poisoning – the attacker corrupts a DSN server by replacing a legitimate IP address in the server’s cache with that of another, rogue address in order to redirect traffic to a malicious website, collect information or initiate another attack. Cache poisoning may also be referred to as DNS poisoning.

Denial of Service – an attack in which a malicious bot sends send more traffic to a targeted IP address  than the programmers who planned its data buffers anticipated someone might send. The target becomes unable to resolve legitimate requests.

Distributed Denial of Service - the attacker uses a botnet to generate massive amounts of resolution requests to a targeted IP address.

DNS amplification - the attacker takes advantage of a DNS server that permits recursive lookups and uses recursion to spread his attack to other DNS servers.

Fast-flux DNS – the attacker swaps DNS records in and out with extreme frequency in order redirect DNS requests and avoid detection.

This was last updated in February 2020

Continue Reading About DNS attack

Dig Deeper on DDoS attack detection and prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I imagine that one protection against some false IP address being sent, DNS poisoning, is for every DNS server being programmed to require consistency in the IP address which is received. If two or more different IP addresses are being received from a DNS request, would you want to require that the accepted IP address occurs 100 times as often as any other IP address?

There are some configurable thresholds that can be used to dynamically track when to increase or decrease the number of threads in the pool. The total variety of processes, that the MP a part of the model, can also be dynamically adjusted, and for these, it's information such as number of outstanding connections, number of unfinished requests, CPU usage, {a variety|variety} of things will drive however the amount of the threads per method and also the total number of processes area unit adjusted.
If anyone can help, one of my clients (before I took them on) had a DNS attack. Now they are getting a load of spam mail. I need to fix this urgently and make sure the website is now secure (Squarespace) before going live.