DNS Spoofing (DNS Forgery)
DNS spoofing is an attack in which an attacker forges a DNS response to a client or resolver so that the recipient accepts false DNS information, typically redirecting domain names to attacker-controlled IP addresses.
DNS Cache Poisoning
DNS cache poisoning is a persistent form of DNS spoofing in which an attacker’s forged DNS resource record (RR) is accepted and stored in the cache of a recursive resolver, causing all subsequent queries to receive malicious responses until the TTL expires.
All DNS cache poisoning is DNS spoofing, because a fake response is delivered. But not all DNS spoofing is cache poisoning, since a spoofed response might only affect a single query and not be stored in the resolver cache.
DNS/Domain Hijacking
Take control of a domain by attacking the registrar.
DNS hijacking is an attack in which an attacker takes control over the resolution of DNS queries for a domain, redirecting them to malicious IP addresses. Unlike cache poisoning, hijacking often modifies DNS configuration or authority rather than exploiting resolver cache weaknesses.
DNS Amplification (Reflection) DDoS
DNS amplification is a type of distributed denial-of-service (DDoS) attack in which an attacker uses open recursive DNS resolvers to generate a high volume of DNS response traffic toward a target, amplifying the attack bandwidth by exploiting the disparity between small query size and large response size.
It is called reflection because the attack traffic is reflected through third-party DNS servers to hide the attacker’s origin.
DNS Tunneling
DNS tunneling is a method in which arbitrary data is encapsulated within DNS queries and responses, allowing attackers to bypass network security controls or exfiltrate data over the DNS protocol. It leverages the fact that DNS traffic is often allowed through firewalls and typically not inspected for payload content.
A DNS query is a structured message sent by a DNS client (stub resolver or application) to a DNS server (recursive resolver or authoritative server) asking for information about a domain name.
Domain Generation Algorithms (DGA)
Technical Definition: A Domain Generation Algorithm (DGA) is an algorithmic method used by malware to systematically generate a large number of pseudo-random domain names to contact attacker-controlled command-and-control (C2) servers, increasing resilience against domain takedowns and detection.
DNS Rebinding
Technical Definition: DNS rebinding is a web-based attack in which a malicious domain dynamically changes its resolved IP address over successive DNS queries, allowing attacker-controlled client-side scripts to bypass the browser’s Same-Origin Policy and access internal network resources.
Subdomain Takeover
Technical Definition: Subdomain takeover occurs when a DNS subdomain points to an external service that is unclaimed, deleted, or misconfigured, enabling an attacker to claim the external resource and serve malicious content under the victim’s subdomain.
Zone Transfer Abuse (AXFR)
Technical Definition: Zone transfer abuse occurs when an attacker exploits the DNS AXFR protocol to request a full zone file from an authoritative nameserver, gaining access to all DNS records for a domain that are intended for replication, potentially exposing internal hostnames, IPs, and network structure.
NXDOMAIN Abuse
Technical Definition: NXDOMAIN abuse is an attack in which an adversary intentionally generates large numbers of DNS queries that result in NXDOMAIN (nonexistent domain) responses, overloading recursive resolvers, cache systems, or monitoring infrastructure, often as part of DDoS amplification or evasion strategies.
DNSSEC Downgrade / Misuse
Technical Definition: DNSSEC downgrade or misuse occurs when an attacker bypasses or exploits weaknesses in DNSSEC validation, forcing a resolver to accept unsigned or improperly signed DNS records, thereby undermining the cryptographic integrity guarantees of the DNSSEC chain of trust.
Fast-Flux DNS
Technical Definition: Fast-flux DNS is a technique used by attackers in which a domain’s DNS records (usually A/AAAA) rapidly change IP addresses, often pointing to a large pool of compromised hosts, to obfuscate the true location of a malicious server and increase resilience against takedowns.