DNS Attacks and Threats

DNS is a critical part of internet infrastructure, making it a frequent target for attackers. Understanding common DNS attacks helps you protect your domains and choose a DNS provider with the right defenses. Every DNS query your domain receives is a potential attack surface, from the authoritative nameservers to the resolvers your users depend on.

DNS DDoS Attacks

A Distributed Denial of Service (DDoS) attack overwhelms your DNS servers with a flood of queries, making your domain unreachable for legitimate users.

How It Works

1. Attacker controls a botnet of thousands or millions of compromised devices
2. All devices simultaneously send DNS queries for your domain
3. Your DNS servers become overwhelmed and stop responding
4. Legitimate users can't resolve your domain — your website, email, and APIs go down

Impact

Even a moderate DNS DDoS can take a website offline. Unlike web server DDoS attacks, DNS attacks affect everything tied to your domain — website, email, API endpoints, and any service using DNS. A single A record or AAAA record becoming unreachable means total service disruption.

Real-World Examples

The 2016 Dyn attack is the most well-known DNS DDoS event. The Mirai botnet directed massive traffic at Dyn's DNS infrastructure, taking down major services including Twitter, Reddit, Netflix, and GitHub for hours. The attack peaked at over 1.2 Tbps and demonstrated how DNS is a single point of failure for the modern internet.

Protection

• Anycast DNS networks absorb attacks across multiple global points of presence — no single server takes the full load
• Rate limiting at the DNS server level drops excessive queries from suspicious sources
• Overprovisioned capacity ensures headroom to handle traffic spikes
• Multi-provider DNS can let another provider keep answering if one provider is overwhelmed, provided both serve the same zone data and DNSSEC is handled correctly

DNScale's anycast network distributes DNS traffic across multiple edge nodes, making it inherently resilient against volumetric DDoS attacks.

DNS Cache Poisoning

Cache poisoning (also called DNS spoofing) tricks a recursive resolver into caching a false DNS record, redirecting users to an attacker-controlled server.

How It Works

1. Attacker sends forged DNS responses to a recursive resolver
2. If the forged response arrives before the legitimate one and matches the query ID, the resolver caches it
3. All users of that resolver are now directed to the attacker's IP
4. Users see a convincing fake website or their traffic is silently intercepted

Impact

Cache poisoning can redirect users to phishing sites, intercept email by pointing MX records to malicious servers, or enable man-in-the-middle attacks on TLS connections. It's particularly dangerous because users have no visible indication that anything is wrong.

The Kaminsky Attack

In 2008, Dan Kaminsky discovered a fundamental flaw in DNS that made cache poisoning far easier than previously thought. By targeting random non-existent subdomains, an attacker could inject a forged authority record for the entire parent domain. This vulnerability led to emergency coordinated patching across all major DNS implementations and accelerated the push for DNSSEC deployment.

Protection

• DNSSEC cryptographically signs DNS responses, allowing resolvers to verify authenticity
• Randomized source ports make it harder for attackers to guess query parameters
• DNS over HTTPS (DoH) / DNS over TLS (DoT) encrypt queries between clients and resolvers

DNS Amplification Attacks

An amplification attack exploits DNS servers to amplify a small query into a massive response directed at a victim.

How It Works

1. Attacker sends DNS queries with a spoofed source IP (the victim's IP) to open DNS resolvers
2. The queries request records that generate large responses (e.g., ANY queries, large TXT records)
3. DNS servers send their large responses to the victim's IP
4. The victim is flooded with traffic they never requested

Amplification Factor

DNS amplification can achieve amplification factors of 28-54x, meaning a 1 Mbps attack stream becomes a 28-54 Mbps flood hitting the victim. Some specially crafted queries using DNSSEC-signed responses or large zone transfers can achieve even higher ratios.

Protection

• Disable open recursion — don't run a public recursive DNS resolver unless you specifically need one
• Response Rate Limiting (RRL) on authoritative servers limits identical responses to the same IP
• BCP38/BCP84 — network-level source address validation prevents IP spoofing

DNS Tunneling

DNS tunneling encodes data inside DNS queries and responses to bypass firewalls and exfiltrate data.

How It Works

1. Attacker sets up a DNS server for a domain they control (e.g., evil.com)
2. Malware on the victim's network encodes stolen data into DNS queries: encoded-data.evil.com
3. These queries pass through firewalls because DNS traffic (port 53) is almost always allowed
4. The attacker's DNS server decodes the data from the subdomain labels

Detection

• Unusually long domain names in queries (often base32 or base64 encoded subdomain labels)
• High volume of DNS queries to a single domain
• Queries with high entropy in subdomain labels
• DNS query patterns that don't match normal browsing behavior
• Unusual record type distribution — tunneling often uses TXT records or NULL records for larger payloads

Protection

• DNS monitoring and analytics to detect anomalous query patterns — query usage dashboards can reveal unusual spikes
• DNS firewalls that block known malicious domains
• Restricting DNS to only approved recursive resolvers on your network

DNS Hijacking

DNS hijacking changes DNS settings to redirect traffic. It can happen at multiple levels:

Real-World Examples

In 2019, the Sea Turtle campaign targeted registrars and DNS providers across the Middle East and North Africa, redirecting traffic from government and military domains. The attackers compromised registrar accounts to change NS records and issued fraudulent SSL certificates for the hijacked domains, intercepting email and VPN credentials at scale.

Protection

• Registry lock on your domain to prevent unauthorized transfers
• Two-factor authentication on registrar and DNS provider accounts
• DNSSEC to detect tampered responses
• Monitor DNS records for unexpected changes — system records like SOA and NS should never change unexpectedly
• CAA records to restrict which certificate authorities can issue certificates, limiting an attacker's ability to obtain fraudulent certs

NXDOMAIN Attack

An NXDOMAIN attack (also called a pseudo-random subdomain attack or Water Torture attack) floods a DNS server with queries for non-existent subdomains, designed to:

1. Exhaust the server's resources generating NXDOMAIN responses
2. Fill resolver caches with negative entries, pushing out legitimate cached records
3. Cause the authoritative server to process each query (no cache hit possible)

These attacks are particularly effective because every query for a random subdomain must be forwarded to the authoritative server — resolvers cannot cache something they have never seen.

Protection

• Aggressive NSEC caching allows resolvers to synthesize NXDOMAIN responses without querying the authoritative server
• Rate limiting on the authoritative server
• DNSSEC with NSEC/NSEC3 enables resolvers to prove non-existence cryptographically
• Anycast distribution spreads the load across multiple nodes

DNS Rebinding

DNS rebinding is a subtle attack that exploits the same-origin policy in web browsers. The attacker controls a domain and initially returns a legitimate IP in the A record. After the TTL expires, subsequent queries return an internal IP address (e.g., 192.168.1.1), allowing the attacker's JavaScript to access internal network resources through the user's browser.

Protection

• DNS pinning in browsers and applications
• Internal DNS firewalls that block external domains from resolving to private IP ranges
• Short minimum TTLs with DNS rebinding protection at the resolver level

Protecting Your DNS with DNScale

DNScale incorporates several layers of protection:

• Anycast network — distributes query load across multiple edge nodes globally, helping dilute volumetric DDoS traffic when paired with capacity and filtering
• DNSSEC support — sign your zones to protect against cache poisoning and response tampering
• Rate limiting — built-in protections against query floods
• Activity logging — monitor DNS changes and detect unauthorized modifications
• Two-factor authentication — secure your account against hijacking
• System record protection — critical SOA and apex NS records cannot be accidentally modified

Best Practices

1. Enable DNSSEC for your zones to protect response integrity
2. Use a DNS provider with anycast — single-location DNS is vulnerable to DDoS
3. Secure your registrar account with 2FA and registry lock
4. Monitor your DNS for unexpected record changes — check WHOIS/RDAP data regularly
5. Keep TTLs reasonable — very long TTLs mean you can't quickly redirect traffic during an attack
6. Consider multi-provider DNS for critical domains — if one provider goes down, the other continues serving
7. Deploy CAA records to limit certificate issuance and reduce hijacking impact
8. Use TLSA records for DANE to protect mail transport and web TLS

Related Topics

• Anycast DNS Network — how anycast provides DDoS resilience
• DNSSEC Key Management — cryptographic protection for DNS responses
• Global DNS Resolution Balancing — DNScale's distributed architecture
• Multi-Provider DNS Deployment — redundancy across providers
• SSL/TLS Certificates — the certificate system that DNS attacks often target
• Email Security (SPF, DKIM, DMARC) — protecting email from DNS-based attacks

Conclusion

DNS attacks target the foundation of internet connectivity. From volumetric DDoS floods to subtle cache poisoning, these threats can disrupt any online service. Choosing a DNS provider like DNScale with anycast distribution, DNSSEC support, rate limiting, monitoring, and account protections reduces exposure to the most common DNS attack paths.