Introducing PostScale -- email API for transactional, inbound, and masked addresses. PostScale

    DNS Attacks and Threats

    Learn about common DNS attacks including DDoS, cache poisoning, DNS tunneling, and amplification attacks, and how to protect your infrastructure.

    DNS is a critical part of internet infrastructure, making it a frequent target for attackers. Understanding common DNS attacks helps you protect your domains and choose a DNS provider with the right defenses.

    DNS DDoS Attacks

    A Distributed Denial of Service (DDoS) attack overwhelms your DNS servers with a flood of queries, making your domain unreachable for legitimate users.

    How It Works

    1. Attacker controls a botnet of thousands or millions of compromised devices
    2. All devices simultaneously send DNS queries for your domain
    3. Your DNS servers become overwhelmed and stop responding
    4. Legitimate users can't resolve your domain β€” your website, email, and APIs go down

    Impact

    Even a moderate DNS DDoS can take a website offline. Unlike web server DDoS attacks, DNS attacks affect everything tied to your domain β€” website, email, API endpoints, and any service using DNS.

    Protection

    • Anycast DNS networks absorb attacks across multiple global points of presence β€” no single server takes the full load
    • Rate limiting at the DNS server level drops excessive queries from suspicious sources
    • Overprovisioned capacity ensures headroom to handle traffic spikes

    DNScale's anycast network distributes DNS traffic across multiple edge nodes, making it inherently resilient against volumetric DDoS attacks.

    DNS Cache Poisoning

    Cache poisoning (also called DNS spoofing) tricks a recursive resolver into caching a false DNS record, redirecting users to an attacker-controlled server.

    How It Works

    1. Attacker sends forged DNS responses to a recursive resolver
    2. If the forged response arrives before the legitimate one and matches the query ID, the resolver caches it
    3. All users of that resolver are now directed to the attacker's IP
    4. Users see a convincing fake website or their traffic is silently intercepted

    Impact

    Cache poisoning can redirect users to phishing sites, intercept email, or enable man-in-the-middle attacks. It's particularly dangerous because users have no visible indication that anything is wrong.

    Protection

    • DNSSEC cryptographically signs DNS responses, allowing resolvers to verify authenticity
    • Randomized source ports make it harder for attackers to guess query parameters
    • DNS over HTTPS (DoH) / DNS over TLS (DoT) encrypt queries between clients and resolvers

    DNS Amplification Attacks

    An amplification attack exploits DNS servers to amplify a small query into a massive response directed at a victim.

    How It Works

    1. Attacker sends DNS queries with a spoofed source IP (the victim's IP) to open DNS resolvers
    2. The queries request records that generate large responses (e.g., ANY queries, TXT records)
    3. DNS servers send their large responses to the victim's IP
    4. The victim is flooded with traffic they never requested

    Amplification Factor

    DNS amplification can achieve amplification factors of 28–54x, meaning a 1 Mbps attack stream becomes a 28–54 Mbps flood hitting the victim.

    Protection

    • Disable open recursion β€” don't run a public recursive DNS resolver unless you specifically need one
    • Response Rate Limiting (RRL) on authoritative servers limits identical responses to the same IP
    • BCP38/BCP84 β€” network-level source address validation prevents IP spoofing

    DNS Tunneling

    DNS tunneling encodes data inside DNS queries and responses to bypass firewalls and exfiltrate data.

    How It Works

    1. Attacker sets up a DNS server for a domain they control (e.g., evil.com)
    2. Malware on the victim's network encodes stolen data into DNS queries: encoded-data.evil.com
    3. These queries pass through firewalls because DNS traffic (port 53) is almost always allowed
    4. The attacker's DNS server decodes the data from the subdomain labels

    Detection

    • Unusually long domain names in queries
    • High volume of DNS queries to a single domain
    • Queries with high entropy in subdomain labels
    • DNS query patterns that don't match normal browsing behavior

    Protection

    • DNS monitoring and analytics to detect anomalous query patterns
    • DNS firewalls that block known malicious domains
    • Restricting DNS to only approved recursive resolvers on your network

    DNS Hijacking

    DNS hijacking changes DNS settings to redirect traffic. It can happen at multiple levels:

    LevelMethodExample
    RouterAttacker changes the DNS server setting on your routerLocal network attack
    RegistrarAttacker gains access to your domain registrar accountSocial engineering
    ISPISP intercepts and modifies DNS responsesISP-level redirection
    ServerAttacker modifies zone data on the authoritative serverServer compromise

    Protection

    • Registry lock on your domain to prevent unauthorized transfers
    • Two-factor authentication on registrar and DNS provider accounts
    • DNSSEC to detect tampered responses
    • Monitor DNS records for unexpected changes

    NXDOMAIN Attack

    An NXDOMAIN attack floods a DNS server with queries for non-existent subdomains, designed to:

    1. Exhaust the server's resources generating NXDOMAIN responses
    2. Fill resolver caches with negative entries, pushing out legitimate cached records
    3. Cause the authoritative server to process each query (no cache hit possible)

    Protection

    • Aggressive NSEC caching allows resolvers to synthesize NXDOMAIN responses without querying the authoritative server
    • Rate limiting on the authoritative server
    • DNSSEC with NSEC/NSEC3 enables resolvers to prove non-existence cryptographically

    Protecting Your DNS with DNScale

    DNScale incorporates several layers of protection:

    • Anycast network β€” distributes query load across multiple edge nodes globally, absorbing DDoS attacks
    • DNSSEC support β€” sign your zones to protect against cache poisoning and response tampering
    • Rate limiting β€” built-in protections against query floods
    • Activity logging β€” monitor DNS changes and detect unauthorized modifications
    • Two-factor authentication β€” secure your account against hijacking

    Best Practices

    1. Enable DNSSEC for your zones to protect response integrity
    2. Use a DNS provider with anycast β€” single-location DNS is vulnerable to DDoS
    3. Secure your registrar account with 2FA and registry lock
    4. Monitor your DNS for unexpected record changes
    5. Keep TTLs reasonable β€” very long TTLs mean you can't quickly redirect traffic during an attack
    6. Consider multi-provider DNS for critical domains β€” if one provider goes down, the other continues serving

    Conclusion

    DNS attacks target the foundation of internet connectivity. From volumetric DDoS floods to subtle cache poisoning, these threats can disrupt any online service. Choosing a DNS provider like DNScale with anycast distribution, DNSSEC support, and built-in rate limiting is one of the most effective ways to protect your domains against these attacks.