Chapter 46 Β· Glossary

DNS Attacks Glossary

Key terms for DNS poisoning, domain hijacking, and URL hijacking.

DNS (Domain Name System)
The internet's distributed naming system that translates human-readable domain names (e.g., professormesser.com) into numerical IP addresses that computers use to route traffic. DNS operates as a foundational service β€” nearly every internet connection begins with a DNS lookup. Because all online traffic depends on DNS resolution, compromising this system enables widespread traffic redirection without users' knowledge.
DNS Poisoning
Also called DNS cache poisoning. An attack that corrupts DNS data to redirect users to attacker-controlled destinations instead of legitimate servers. Has three main vectors: (1) modifying the DNS server directly, (2) modifying the client host file, and (3) sending forged DNS responses via an on-path attack. In all cases, the user's browser receives a false IP address and connects to the wrong server without any visible indication of the redirect.
DNS Server
A server that stores and answers DNS queries β€” mapping domain names to IP addresses. When a user types a domain name, their device queries a DNS server for the corresponding IP. If an attacker can modify the records stored on a DNS server, every user who queries that server for the affected domain will receive the attacker's IP address instead of the legitimate one, redirecting their traffic without any compromise of the user's device.
Host File
A local text file on every operating system (Windows: C:\Windows\System32\drivers\etc\hosts; Linux/Mac: /etc/hosts) that maps domain names to IP addresses. Critical security property: the host file takes precedence over DNS queries β€” if an entry for a domain exists in the host file, the system uses it and never contacts the DNS server. Malware with elevated privileges can rewrite the host file to redirect specific domains (such as banking sites) to attacker-controlled IPs, affecting only the local machine.
On-Path Attack (DNS)
Also called a man-in-the-middle DNS attack. The attacker positions themselves between the client and DNS server to intercept DNS queries in real time and inject forged responses. Because DNS uses UDP (connectionless protocol with no session authentication), the client accepts the first response it receives. If the attacker responds faster than the legitimate DNS server, the client receives and caches the fake IP address. This requires the attacker to intercept or observe traffic in transit β€” typically on the same network segment.
Domain Hijacking
An attack in which the attacker gains control of a domain's registration account at the domain registrar, enabling them to change DNS records and redirect all traffic to attacker-controlled systems. Does not require compromising any of the victim's web servers or network infrastructure β€” controlling the registrar account alone is sufficient to reroute all traffic for any domain in that account. Common entry methods: brute force, social engineering, or compromising the email account linked to the domain registration.
Domain Registrar
A company accredited to register domain names and manage the DNS records associated with them. Examples: GoDaddy, Namecheap, Google Domains, Cloudflare. The registrar account is a high-value target because whoever controls it controls all DNS records for every domain registered to that account β€” effectively controlling where all traffic for those domains resolves. MFA on registrar accounts is the primary defense against domain hijacking.
URL Hijacking
Exploiting user errors or assumptions about domain names by registering deceptive domains that intercept misdirected traffic. Broader than DNS poisoning β€” does not require compromising DNS infrastructure; instead, the attacker registers a domain the user might accidentally type or be deceived into clicking. Motivations include advertising revenue, domain resale, competitor redirection, phishing, and malware delivery via drive-by downloads.
Typosquatting
A URL hijacking technique that registers domain names designed to capture traffic from users who mistype the target domain. Variations include: outright misspellings (professormesser.com β†’ professormessor.com), dropped characters (professormesser β†’ professormeser), added characters (professormesser β†’ professormessers), and alternative TLDs (professormesser.com β†’ professormesser.org). The hijacked domain may serve advertisements, phishing pages, malware, or be used for domain extortion against the legitimate owner.
Brandjacking
A form of typosquatting specifically targeting brand recognition β€” registering domains that closely resemble a well-known brand's domain to exploit customer trust and recognition. Users may not notice the slight difference in spelling and interact with the site as if it were legitimate. Often used interchangeably with typosquatting, though brandjacking emphasizes the exploitation of brand identity rather than just typing errors.
DNSSEC (DNS Security Extensions)
A set of extensions to the DNS protocol that add cryptographic authentication to DNS responses using digital signatures. When DNSSEC is enabled, DNS records are signed with a private key; resolvers verify the signature using the corresponding public key before accepting the response. This directly prevents forged DNS responses (on-path attack vector). Does NOT protect against host file manipulation, domain hijacking at the registrar, or typosquatting β€” these operate outside the DNS query/response path that DNSSEC secures.
Open Resolver
A DNS resolver configured to respond to queries from any IP address, not just its authorized clients. Open resolvers are a prerequisite for DNS amplification DDoS attacks (Chapter 45), where attackers spoof the victim's IP and direct large DNS responses to them. Completely separate from DNS poisoning β€” in poisoning, the resolver may be the victim (its cache is corrupted); in amplification, the resolver is the unwitting weapon. Closing open resolvers is a DNS security hardening step relevant to both Chapter 45 and 46 topics.