Chapter 4.0 📖 ~5 min read

DNS Security

From foundational vulnerabilities to encrypted transport and protective DNS — how the internet's naming system learned to defend itself.

0 of X sections completed

DNS was designed in the 1980s by engineers who trusted each other. The ARPANET was a small, cooperative research network — security meant locking the server room door. Nobody imagined that DNS would one day route traffic for global banking, healthcare, and critical infrastructure. Nobody imagined it would need to resist nation-state attacks.

That trust assumption is DNS’s original sin.

Every DNS query travels in plaintext. Every response is accepted on faith. There’s no built-in way to verify that the answer you received is the answer the authoritative server actually sent. For decades, this worked fine — until it didn’t.

In This Part

We’ll trace the complete arc of DNS security — from the attacks that exposed its weaknesses to the protocols designed to fix them:

  1. DNS Vulnerabilities — Cache poisoning, the Kaminsky attack, amplification DDoS, tunneling, and social engineering attacks on the naming system itself
  2. DNSSEC — The cryptographic chain of trust that authenticates DNS responses, from root to leaf
  3. DNS-over-HTTPS (DoH) — Encrypting DNS inside HTTPS, its browser adoption, and the fierce debate it sparked
  4. DNS-over-TLS (DoT) — The first mainstream encrypted DNS transport, its architecture, and where it fits
  5. DNS-over-QUIC (DoQ) — The newest encrypted transport, built on QUIC’s zero-RTT promises
  6. DNS Hijacking and BGP Attacks — When attackers go around DNS entirely — compromising registrars, routing infrastructure, and the trust chain itself
  7. Protective DNS and Threat Intelligence — Using DNS as a defensive weapon — blocking malware, enforcing policy, and monitoring for threats

What You’ll Learn

By the end of Part 4, you’ll be able to:

  • Explain the major DNS attack vectors and why they work against the original protocol design
  • Understand DNSSEC’s chain of trust — key types, record types, and the validation process
  • Compare encrypted DNS protocols (DoH, DoT, DoQ) and their respective tradeoffs
  • Recognize DNS hijacking techniques and the infrastructure-level attacks that bypass DNS entirely
  • Deploy protective DNS strategies for threat blocking, monitoring, and policy enforcement

Prerequisites

This part assumes you’ve read Part 2 (How DNS Works) or already understand DNS resolution, record types, caching, and the recursive/authoritative server model. You should be comfortable with concepts like TTL, zone files, and the DNS message format.

If you can trace a DNS query from stub resolver to authoritative server, you’re ready to learn how attackers exploit — and defenders protect — every step of that journey.

Let’s break some things.