You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
The Domain Name System (DNS) translates human-readable domain names into IP addresses. It is one of the most critical — and most targeted — components of network infrastructure. A compromised DNS can redirect users to malicious sites, intercept communications, and disrupt entire organisations.
graph TD
S1["1. User types 'example.com' in browser"] --> S2["2. Check local cache -> Not found"]
S2 --> S3["3. Query recursive resolver (ISP or corporate DNS)"]
S3 --> S4["4. Resolver queries root nameserver -> Refers to .com TLD"]
S4 --> S5["5. Query .com TLD nameserver -> Refers to example.com authoritative NS"]
S5 --> S6["6. Query authoritative nameserver -> Returns IP: 93.184.216.34"]
S6 --> S7["7. Resolver caches result and returns to client"]
S7 --> S8["8. Browser connects to 93.184.216.34"]
| Record | Purpose | Example |
|---|---|---|
| A | Maps domain to IPv4 address | example.com → 93.184.216.34 |
| AAAA | Maps domain to IPv6 address | example.com → 2606:2800:220:1:... |
| CNAME | Alias for another domain | www.example.com → example.com |
| MX | Mail exchange server | example.com → mail.example.com |
| TXT | Text records (SPF, DKIM, DMARC) | Used for email authentication |
| NS | Authoritative nameserver | example.com → ns1.example.com |
| SOA | Start of Authority — zone metadata | Primary NS, serial number, refresh |
| PTR | Reverse DNS — IP to domain | 34.216.184.93 → example.com |
| Attack | Description | Impact |
|---|---|---|
| DNS Spoofing / Cache Poisoning | Injecting false records into a resolver's cache | Users redirected to malicious sites |
| DNS Hijacking | Compromising DNS settings on the client, router, or registrar | Traffic redirected to attacker-controlled servers |
| DNS Tunnelling | Encoding data in DNS queries to exfiltrate data or bypass controls | Data theft, command-and-control communication |
| DNS Amplification DDoS | Using open resolvers to amplify DDoS traffic | Target overwhelmed with traffic |
| Domain Hijacking | Gaining control of a domain through registrar compromise | Full control of the domain |
| NXDOMAIN Attack | Flooding a resolver with queries for non-existent domains | Resolver resource exhaustion |
| Typosquatting | Registering domains similar to legitimate ones | Phishing, credential theft |
graph TD
S1["1. Attacker sends many forged DNS responses to the resolver"] --> S2["2. If a forged response arrives before the legitimate one -> Resolver caches the WRONG IP address"]
S2 --> S3["3. All users querying that domain get the WRONG IP -> Redirected to attacker's server"]
DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that responses have not been tampered with.
| Component | Purpose |
|---|---|
| RRSIG (Resource Record Signature) | Digital signature for each DNS record set |
| DNSKEY | Public key used to verify RRSIG signatures |
| DS (Delegation Signer) | Hash of the child zone's DNSKEY, stored in the parent zone |
| NSEC / NSEC3 | Proves that a domain does NOT exist (prevents cache poisoning of non-existent domains) |
graph TD
Root["Root Zone (signed)"] -->|DS record| TLD[".com TLD (signed)"]
TLD -->|DS record| Domain["example.com (signed)"]
Domain -->|RRSIG| ARecord["A record: 93.184.216.34 (Verified!)"]
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.