How DNS Works and How Attackers Use It Against You

TL;DR

• 1 DNS translates the names you type into the addresses your computer reaches; attackers manipulate names you trust.
• 2 Lookalike domains, DNS hijacking, and homoglyphs all exploit the gap between what users see and what resolves.
• 3 Monitoring brand variants in DNS + Certificate Transparency catches most phishing infrastructure during setup.

What it does

DNS is the system that translates the names you type into the IP addresses your computer connects to. Every domain lookup involves multiple servers (root, TLD, authoritative) and multiple cache layers (recursive resolver, local stub). Each layer is a potential injection point for an attacker who wants the user to land somewhere unexpected.

The most common DNS-based attack against brands isn't manipulation of the lookup itself — it's manipulation of the name the user trusts. A lookalike domain (yourbrand-secure.com) resolves correctly to the attacker's server; the user's resolver works perfectly. The exploit is on the human, who reads the URL as legitimate.

Less common but more dangerous: actual DNS-layer attacks (cache poisoning, DNS hijacking via registrar compromise, BGP-based interception). These usually target larger brands and require operator-level access. Defense for those: DNSSEC, registrar lock with 2FA, and continuous monitoring of your own DNS records for unauthorized changes.

How it works

1. 1

   <strong>Lookalike domain registration.</strong> Attacker registers <code>yourbrand-login.com</code> and points it at their server. DNS works perfectly; the user gets phished because they read the URL as legitimate. Defense: continuous lookalike monitoring + defensive registration.

2. 2

   <strong>Homoglyph (IDN) substitution.</strong> Attacker registers <code>yourbránd.com</code> (with an accented character or Cyrillic lookalike). The URL bar may show punycode or the rendered character depending on browser policy. Defense: monitor for IDN variants of your brand.

3. 3

   <strong>Subdomain spoofing.</strong> Attacker registers <code>yourbrand-portal.com</code> and serves the phishing site at <code>secure.yourbrand-portal.com</code>. The visible label to a hurried user is just <code>secure.yourbrand-portal</code>, which scans as your brand.

4. 4

   <strong>DNS cache poisoning.</strong> Older attack; mostly mitigated by DNSSEC + 0x20 encoding in modern recursive resolvers. Still possible against ISPs with poor cache hygiene.

5. 5

   <strong>Registrar account compromise.</strong> Attacker gets into your registrar account (phishing the operator's credentials), changes your DNS records or transfers the domain. Defense: registrar lock + 2FA + monitoring DNS records for unauthorized changes.

6. 6

   <strong>BGP-based interception.</strong> Attacker manipulates BGP routing to claim your IP space, intercepts traffic intended for your domain. Rare but devastating; defense is RPKI + relationships with your transit providers.

Common pitfalls

• <strong>Treating DNS attacks as exotic.</strong> The vast majority of "DNS phishing" is just lookalike domain registration. Defense is monitoring + DMARC, not DNSSEC theater.

• <strong>Skipping registrar lock and 2FA.</strong> A compromised registrar account undoes every other DNS control. Lock the domain at the registrar, enable 2FA, don't reuse the registrar password.

• <strong>DNSSEC without monitoring.</strong> DNSSEC prevents one class of attack (cache poisoning) but creates its own operational failure modes (key rollover problems, validation errors). Monitor the signing chain or skip DNSSEC entirely.

• <strong>Ignoring sub-CA risks.</strong> If your DNS provider lets you grant sub-CA authorization for ACME, that's another path to certificate misissuance under your name. CAA records pin which CAs can issue.

Related tools & guides