Networking & Protocols • DNS & Domain ResolutionHard⏱️ ~3 min
DNS Security Threats and Mitigation Strategies
DNS faces multiple attack vectors that can compromise availability, integrity, and privacy. Cache poisoning attacks, notably the Kaminsky style vulnerability discovered in 2008, exploit insufficient entropy in transaction IDs and source ports to inject false records into resolver caches. Modern mitigations include source port randomization (using all 65535 ports rather than a small range), transaction ID randomization, 0x20 bit encoding (randomizing case in query names to add entropy), and most comprehensively, DNSSEC validation which cryptographically verifies answer authenticity through signature chains.
DDoS and amplification attacks represent the most significant operational threat. The October 2016 Mirai botnet attack on Dyn exceeded 1 Tbps, leveraging DNS amplification where small queries elicit large responses (amplification factors of 50 to 100x are possible with DNSSEC responses or ANY queries). Authoritative operators deploy response rate limiting (RRL) to cap identical responses per source, minimal ANY responses (returning minimal data rather than full zone), and upstream scrubbing services. Infrastructure must plan for multi Tbps capacity or partner with providers offering DDoS scrubbing, as even well provisioned authoritative services can be overwhelmed.
Operational security failures create subtle but impactful issues. Lame delegations (NS records pointing to servers not actually serving the zone) cause multi second timeouts and intermittent failures. Missing or incorrect glue records at parent zones lead to resolution deadlocks. DNSSEC key rollover mistakes, particularly improper DS record timing at registries, cause validation failures affecting all users for hours. Dangling DNS records (CNAMEs or NS records pointing to deprovisioned resources) enable subdomain takeover where attackers claim the target resource and serve malicious content under the victim's domain.
💡 Key Takeaways
•Cache poisoning mitigations require source port randomization across all 65535 ports, transaction ID randomization, and DNSSEC validation; without these, attackers need only hundreds to thousands of attempts to poison caches
•DNS amplification attacks achieve 50 to 100x amplification factors; October 2016 Dyn attack exceeded 1 Tbps using Mirai botnet, disrupting major sites for hours and demonstrating need for multi Tbps scrubbing capacity
•Response Rate Limiting (RRL) caps identical responses per source IP to 5 to 10 per second, mitigating reflection attacks while allowing legitimate retry behavior from resolvers
•DNSSEC key rollovers require precise sequencing: publish new DNSKEY, wait maximum TTL, update DS at parent, wait maximum TTL, remove old DNSKEY; mistakes cause validation failures for all users
•Lame delegations cause 5 to 20 second timeouts as resolvers attempt multiple NS targets before failing; continuous delegation monitoring and automated remediation are critical for reliability
•EDNS Client Subnet (ECS) leaks client IP prefix (typically /24) to authoritative servers, creating privacy concerns; many privacy focused resolvers disable ECS despite 10 to 30 ms geo steering accuracy loss
📌 Examples
The Kaminsky attack (2008) exploited birthday paradox to poison caches in seconds using insufficient 16 bit transaction ID entropy; modern resolvers use 16 bit ID plus 16 bit source port for 32 bits total entropy
Amazon Route 53 uses Response Rate Limiting allowing 5 identical responses per source per second by default, blocking reflection attacks while permitting legitimate resolver retry patterns (typically 3 attempts over 5 seconds)
A Fortune 500 company experienced 6 hour outage when DNSSEC key rollover removed old DNSKEY before parent DS record updated, causing validation failures; correct sequence requires waiting 2x maximum TTL (48 hours for 24 hour TLD TTL)