Attackers send whisper-sized DNS queries that trigger scream-sized responses—aimed at victims who never asked. A few hundred dollars of botnet rental becomes terabits of traffic someone else has to absorb.
DNS cache poisoning exploits a brutal truth: resolvers believe whoever answers first. How attackers race to inject lies into DNS caches, why the Kaminsky attack triggered the largest coordinated patch in Internet history, and what DNSSEC finally makes possible.
DNS queries reveal every site you visit, and they've traveled unencrypted since the 1980s. DoH finally adds encryption—but it doesn't eliminate surveillance, it lets you choose your surveillor.
DNS over TLS encrypts your lookups so your ISP can't see which sites you visit—but your chosen resolver sees everything. You're not eliminating surveillance. You're choosing your surveillant.
DNSSEC transforms an unanswerable question—"who sent this?"—into a verifiable one: "who vouches for this?" Here's how resolvers verify the chain from root to record.
DNS hijacking turns your most trusted security habit—checking the address bar—into a weapon against you. The URL looks right. You might even see the padlock. But you're talking to an imposter.
DNS has no way to prove a response is real. DNSSEC adds cryptographic signatures that let resolvers verify answers actually came from who they claim to come from—authentication for a protocol built on assumed trust.
Was this page helpful?