Chapter 46 Β· Concepts

DNS Attack Concepts

Attack mechanisms, comparison tables, and the defense stack in structured reference format.

DNS Poisoning β€” Three Attack Vectors

VectorWhat is ModifiedAccess RequiredScopeClassification
Modify DNS ServerRecords on the DNS server itselfAdmin credentials or server exploitAll users querying that serverDirect server compromise
Modify Host FileLocal hosts file on the clientElevated local access (malware)Only the affected deviceLocal endpoint attack
Fake DNS ResponseNothing stored β€” forged real-timeOn-path network positionClients intercepted in transitOn-path / MITM attack

DNS Poisoning via Server Modification β€” Step-by-Step

1. Attacker compromises DNS server β€” obtains admin credentials (brute force, social engineering, breach) or exploits a known vulnerability to gain write access to DNS records
2. Attacker modifies the A record β€” changes the IP address for the target domain (e.g., professormesser.com) from the legitimate address (.164) to the attacker's address (100.100.100.100)
3. Legitimate users already in cache are unaffected β€” User 1, who queried before the change, still has the correct IP cached; their connection goes to the real server
4. New queries receive poisoned answer β€” User 2, querying after the change, receives 100.100.100.100 from the DNS server; their browser connects to the attacker's machine
5. Attacker presents a convincing fake site β€” collects credentials, delivers malware, or performs a man-in-the-middle proxy to the real site while capturing all traffic

Host File Precedence Rule

When a device needs to resolve a domain name, it checks sources in this order:

Step 1: Host file checked first β€” if an entry exists for the requested domain, it is used immediately; no DNS query is sent
Step 2: DNS cache checked β€” if a cached result from a prior query exists, it is used
Step 3: DNS server queried β€” only if no local entry exists is the external DNS server contacted

Attack implication: Malware that rewrites the host file to map a bank domain to an attacker IP will redirect that victim regardless of what the legitimate DNS server says β€” the DNS server is never even consulted.

Domain Hijacking β€” Attack Chain

1. Target the registrar account β€” identify which registrar holds the target domain; research associated email address from WHOIS data
2. Gain account access β€” methods: brute force login portal, social engineer registrar support, compromise the email account to trigger password reset, use credentials from a prior breach
3. Modify DNS records β€” change the A record (or NS records) for target domains to IP addresses under attacker control; may also change MX records to intercept email
4. Deploy convincing infrastructure β€” stand up a server at the new IP with a cloned version of the target site; install valid SSL certificates (Let's Encrypt certificates can be obtained for any domain the attacker controls)
5. Harvest credentials / data β€” users visit the legitimate domain name, receive the attacker's IP via DNS, connect to the attacker's server, and submit credentials or sensitive data
6. Restore records before detection β€” revert DNS changes to avoid prolonged detection; exfiltrated data has already been captured

URL Hijacking β€” Motivations and Methods

MotivationHow It WorksVictim Impact
Advertising RevenueTyposquatted domain serves ads or affiliate links to misdirected visitorsUser sees irrelevant ads; attacker earns per-click revenue
Domain ResaleAttacker offers to sell the lookalike domain back to the brand ownerCompany pays extortion price to reclaim their typo domain
Competitor RedirectMisdirected traffic is automatically forwarded to a competing brand's siteLost customers; may violate trademark law
PhishingTyposquatted domain hosts a pixel-perfect clone of the real site requesting loginCredential theft; account takeover
Malware DistributionVisiting the domain triggers a drive-by download via browser exploitRansomware, botnet enrollment, spyware installation

Typosquatting Variation Types

TypeLegitimate DomainTyposquatted DomainMechanism
Outright Misspellingprofessormesser.comprofessormessor.comOne letter substituted (e→o)
Missing Characterprofessormesser.comprofessormeser.comOne letter dropped (double-s β†’ single-s)
Added Characterprofessormesser.comprofessormessers.comExtra letter appended
Different TLDprofessormesser.comprofessormesser.orgSame name, different top-level domain

DNS Defense Stack

ControlAttack It AddressesHow
DNSSECForged DNS responses (on-path)Cryptographically signs DNS records; resolver validates signature before accepting response
MFA on Registrar AccountDomain hijackingStolen password alone is insufficient to modify DNS records; requires second factor
Secure Associated Email AccountDomain hijacking via password resetAttacker who controls the email can trigger registrar password reset; MFA on email eliminates this path
DNS Change Monitoring/AlertsDomain hijacking (detection)Alerts on any modification to DNS records; reduces detection time from hours to minutes
Endpoint Host File ProtectionHost file modificationEndpoint security tools detect and alert on unauthorized host file changes; AppLocker/EDR policies restrict write access
User Awareness TrainingTyposquatting / phishingUsers verify URLs before entering credentials; recognize suspicious domain name differences
Preemptive Domain RegistrationTyposquatting (prevention)Register common typos and alternative TLDs before attackers; redirect them to the real domain

What DNSSEC Does and Does NOT Protect Against

DNSSEC DOES protect against: Forged DNS responses injected by on-path attackers. The digital signature on the DNS record cannot be forged without the zone's private key.

DNSSEC does NOT protect against:

Exam tip: DNSSEC β‰  total DNS security. It validates one specific attack vector.