Maksim Kabakou - Fotolia

Security Think Tank: Top three DNS-related security risks

What are the main security risks associated with the domain name system and how are these best mitigated?

The domain name system (DNS) is used by every business on the internet. It is a business’s digital identity and, as such, probably the most crucial component of their security profile. Consequently, DNS threats are on rise. The following are three of the most prevalent DNS risks worth prioritising on your security list of things to do:

Registrar hijacking

Domain names are commercially bought and sold through a registrar company and this may make them vulnerable to fraud. If a hacker compromises the DNS commercial account you hold with your registrar, they can take control of the domain, transfer ownership and point it to servers under their control. This is done by breaking account passwords or socially engineering the registrar’s support personnel. 

To minimise this risk, enforce strong account password management and select a registrar that offers enhanced account security options, such as multi-factor authentication or dedicated account managers. It is a premium service, but well worth the security spend.


The next best thing to registrar hijacking is typosquatting. If you can’t break it, fake it. Typosquatting is the practice of registering a fake domain name that is almost identical to the real (target) business domain name. Hackers do this to misdirect web traffic and to set up a wide variety of phishing attacks.  

Best practice against this threat is to regularly monitor newly registered domain names for those that are unmistakably similar to your business. You may also want to consider hiring companies that offer digital brand management and protection services to do this for you.

Cache poisoning          

DNS data is used to send mails and to find websites across the internet and is cached on servers to reduce loads and improve performance. However, the DNS data cached on these servers may be vulnerable to “poisoning” attacks.

Hackers exploit poor configuration of DNS servers to inject fraudulent address information that can reroute users to a fake website under their control. Even the user’s browser would not know the site was not legitimate.

Currently, the only real solution to this risk is a protocol known as DNSSEC. Adding a DNSSEC digital signature to a domain name will enable browsers and ISP servers to validate the DNS data it receives, essentially putting an end to cache poisoning attacks. Ask your ISP for DNSSEC.

DNS-based attacks are not going away. Because DNS is an essential part of the internet communications framework, it will always be considered an effective attack vehicle. Time to move it up your list.

Richard Hollis is an ISACA expert and author on IT security and risk, and CEO of Risk Factory. ...........................................................................

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Somewhat, but not entirely, related to cache poisoning exploit, have you heard of:
1. Cache 'stolen' or acquired from a user or website - in the federal government domain - and then 'fed back' to the user(s) in corrupted format, accompanied by threats?  E.g. say one federal agency user communicated with another federal agency, or pulled up an address for geo-location - that sort of information/cache.
2. *Any terror-event related, DNS attacks  in which hackers polluted the site so that it was visible to all visitors, with arabic words like قتل or انتقام ? "murder" 'revenge" on the same day of an attack? 
3. Lastly, unrelated to online attacks but definitely related to ISP / node firewalls being dropped and other tactics: this is a common attack in the Washington DC metro area, especially on FIOS / Verizon business, government or home lans. *This is partly because Verizon's 5G network SHARES INFRASTRUCTURE with CHINESE infrastructure in the US, particularly in sites like Virginia and NJ, major POP, server, and switching locations. So whatever Verizon does on its 5g, is easily corrupted it seems, by China here. 

But the ISP attack - which my company has documented tens of thousands of examples of, but the Israeli government, working with us on occasion, and the US Navy, have documented hundreds of thousands of , involves the corruption of isolation firewalls separating multiple distinct accounts. So that in a place like Mclean Virginia, for ex, a Freddie Mac, Booz Allen, and CIA HQ site; or in  Arlington, by the Pentagon, or with police dept lans all over Maryland .. devices and mac ids and pws etc, are all wide open, one to another. (for most people smart enough to do minimal network inquiry).   

Not every exploit is well known.