DNS Poisoning β Three Attack Vectors
| Vector | What is Modified | Access Required | Scope | Classification |
|---|---|---|---|---|
| Modify DNS Server | Records on the DNS server itself | Admin credentials or server exploit | All users querying that server | Direct server compromise |
| Modify Host File | Local hosts file on the client | Elevated local access (malware) | Only the affected device | Local endpoint attack |
| Fake DNS Response | Nothing stored β forged real-time | On-path network position | Clients intercepted in transit | On-path / MITM attack |
DNS Poisoning via Server Modification β Step-by-Step
1. Attacker compromises DNS server β obtains admin credentials (brute force, social engineering, breach) or exploits a known vulnerability to gain write access to DNS records
2. Attacker modifies the A record β changes the IP address for the target domain (e.g., professormesser.com) from the legitimate address (.164) to the attacker's address (100.100.100.100)
3. Legitimate users already in cache are unaffected β User 1, who queried before the change, still has the correct IP cached; their connection goes to the real server
4. New queries receive poisoned answer β User 2, querying after the change, receives 100.100.100.100 from the DNS server; their browser connects to the attacker's machine
5. Attacker presents a convincing fake site β collects credentials, delivers malware, or performs a man-in-the-middle proxy to the real site while capturing all traffic
Host File Precedence Rule
When a device needs to resolve a domain name, it checks sources in this order:
Step 1: Host file checked first β if an entry exists for the requested domain, it is used immediately; no DNS query is sent
Step 2: DNS cache checked β if a cached result from a prior query exists, it is used
Step 3: DNS server queried β only if no local entry exists is the external DNS server contacted
Attack implication: Malware that rewrites the host file to map a bank domain to an attacker IP will redirect that victim regardless of what the legitimate DNS server says β the DNS server is never even consulted.
Domain Hijacking β Attack Chain
1. Target the registrar account β identify which registrar holds the target domain; research associated email address from WHOIS data
2. Gain account access β methods: brute force login portal, social engineer registrar support, compromise the email account to trigger password reset, use credentials from a prior breach
3. Modify DNS records β change the A record (or NS records) for target domains to IP addresses under attacker control; may also change MX records to intercept email
4. Deploy convincing infrastructure β stand up a server at the new IP with a cloned version of the target site; install valid SSL certificates (Let's Encrypt certificates can be obtained for any domain the attacker controls)
5. Harvest credentials / data β users visit the legitimate domain name, receive the attacker's IP via DNS, connect to the attacker's server, and submit credentials or sensitive data
6. Restore records before detection β revert DNS changes to avoid prolonged detection; exfiltrated data has already been captured
URL Hijacking β Motivations and Methods
| Motivation | How It Works | Victim Impact |
|---|---|---|
| Advertising Revenue | Typosquatted domain serves ads or affiliate links to misdirected visitors | User sees irrelevant ads; attacker earns per-click revenue |
| Domain Resale | Attacker offers to sell the lookalike domain back to the brand owner | Company pays extortion price to reclaim their typo domain |
| Competitor Redirect | Misdirected traffic is automatically forwarded to a competing brand's site | Lost customers; may violate trademark law |
| Phishing | Typosquatted domain hosts a pixel-perfect clone of the real site requesting login | Credential theft; account takeover |
| Malware Distribution | Visiting the domain triggers a drive-by download via browser exploit | Ransomware, botnet enrollment, spyware installation |
Typosquatting Variation Types
| Type | Legitimate Domain | Typosquatted Domain | Mechanism |
|---|---|---|---|
| Outright Misspelling | professormesser.com | professormessor.com | One letter substituted (eβo) |
| Missing Character | professormesser.com | professormeser.com | One letter dropped (double-s β single-s) |
| Added Character | professormesser.com | professormessers.com | Extra letter appended |
| Different TLD | professormesser.com | professormesser.org | Same name, different top-level domain |
DNS Defense Stack
| Control | Attack It Addresses | How |
|---|---|---|
| DNSSEC | Forged DNS responses (on-path) | Cryptographically signs DNS records; resolver validates signature before accepting response |
| MFA on Registrar Account | Domain hijacking | Stolen password alone is insufficient to modify DNS records; requires second factor |
| Secure Associated Email Account | Domain hijacking via password reset | Attacker who controls the email can trigger registrar password reset; MFA on email eliminates this path |
| DNS Change Monitoring/Alerts | Domain hijacking (detection) | Alerts on any modification to DNS records; reduces detection time from hours to minutes |
| Endpoint Host File Protection | Host file modification | Endpoint security tools detect and alert on unauthorized host file changes; AppLocker/EDR policies restrict write access |
| User Awareness Training | Typosquatting / phishing | Users verify URLs before entering credentials; recognize suspicious domain name differences |
| Preemptive Domain Registration | Typosquatting (prevention) | Register common typos and alternative TLDs before attackers; redirect them to the real domain |
What DNSSEC Does and Does NOT Protect Against
DNSSEC DOES protect against: Forged DNS responses injected by on-path attackers. The digital signature on the DNS record cannot be forged without the zone's private key.
DNSSEC does NOT protect against:
- Host file modification (operates below DNS entirely)
- Direct DNS server compromise (attacker controls the signing key)
- Domain hijacking at the registrar (attacker controls the DNS records and can re-sign them)
- Typosquatting (a different domain β DNSSEC validates the answers for that different domain correctly)
Exam tip: DNSSEC β total DNS security. It validates one specific attack vector.