Abstract:

The Domain Name System (DNS) is a fundamental component of Internet infrastructure. Its original design lacked mechanisms for data security and authenticity. Consequently, DNS remains vulnerable to various attacks. In recent years, these attacks have evolved from basic response spoofing to sophisticated campaigns, including distributed denial-of-service (DDoS) and amplification attacks, data integrity breaches such as DNS cache poisoning and DNS hijacking, as well as communication tunneling.

This paper classifies DNS threats according to the confidentiality, integrity, and availability (CIA) triad, demonstrating how attackers exploit protocol vulnerabilities to redirect users, exfiltrate data, or disrupt services. In response, Domain Name System Security Extensions (DNSSEC) were introduced to provide data integrity and authenticity through cryptographic signatures. However, DNSSEC does not ensure confidentiality or comprehensive infrastructure protection. Additional protocols, including DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH), encrypt DNS communication but complicate traffic analysis and threat detection. The Response Policy Zone (RPZ) mechanism further enhances defense by blocking access to malicious domains, though its effectiveness is reduced when DNS traffic is encrypted.

No single security mechanism offers comprehensive protection for DNS. Implementing a multilayered security model that integrates multiple technologies is essential to balance confidentiality, integrity, and availability. Current research is directed toward incorporating post-quantum cryptography to address emerging threats associated with quantum computing.