DNS Masterclass: Attacks, Defenses, and the Day the Internet Was Saved
In this special DNS Masterclass episode of Breaking Badness, hosts Kali Fencl, Tim Helming, and Taylor Wilkes-Pierce take a deep dive into the Domain Name System often dubbed the backbone and battleground of the internet. From its humble beginnings with host files to its critical role in modern security, the episode unpacks DNS’s evolution, vulnerabilities, and impact on Infosec.
The Origins of DNS: From Host Files to a Distributed Backbone
Tim Helming sets the stage by jokingly beginning the DNS timeline:
“First the earth cooled. Then there were host files.”
In the early internet, IP addresses were manually mapped in local host files—a practice that became quickly unsustainable as the network expanded. DNS was created in 1983 to solve this scalability problem, allowing devices to resolve human-readable domain names into IP addresses via a distributed system.
“The early stages of distributed computing and networking were heavily influenced by university systems trying to talk to each other.” – Taylor Wilkes-Pierce
Attack Vectors: DNS as Target and Tool
DNS has been leveraged and abused in multiple ways across the history of cyberattacks. The hosts distinguish between two key categories:
- Attacks on DNS itself – e.g. cache poisoning, hijacking
- Attacks using DNS infrastructure – e.g. phishing, C2 callbacks, typosquatting
“DNS is that intermingling of culture and technology. It’s on a global scale.” – Taylor Wilkes-Pierce
The episode explores how DNS has been both an Achilles’ heel and a powerful telemetry source. Examples include:
- Phishing with homoglyphs and subdomain trickery
- DDoS attacks leveraging DNS amplification
- Abandoned or expired domains used to redirect users to malware
The Day Dan Kaminsky Saved the Internet
One of the most compelling stories in the episode is that of Dan Kaminsky, a security researcher who discovered a critical DNS cache poisoning vulnerability in 2008.
“Had news of that gone out prior to them being able to patch it, things would’ve been a big mess.” – Taylor Wilkes-Pierce
Working with major companies and root operators, Kaminsky quietly coordinated a fix before the exploit became public. Without that, attackers could’ve redirected traffic on a massive scale, making trusted domains behave maliciously.
DNS in 2024: Threat Trends and Real-World Exploits
The team reviewed what happened in 2024 and uncovered several DNS trends:
- Over 1.5 million DNS-based DDoS attacks in Q1 alone
- Attackers reusing old legitimate domains, such as a long-forgotten MSN Martha Stewart sweepstakes site to host malware via lapsed name server payments
- Increased use of AI to build phishing kits, subdomains, and fishy-looking infrastructure
“Most malicious activities across the internet happen on permitted connections. DNS is where those connections begin.” – Tim Helming
DNS Defense: What Can Be Done?
- Audit your DNS records regularly, including passive DNS data
- Secure your registrar and name server credentials with strong MFA
- Watch for typosquatting, homoglyphs, and abandoned domains
- Don’t forget internal DNS – attackers can hijack resolution paths inside your environment too
“The adversaries are [leveraging] internal and external DNS… we see that in leaked chat logs and attack telemetry.” – Taylor Wilkes-Pierce
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
