Is DNSSEC worth deploying?

On the signing side (your authoritative zone), yes — incremental cost, real benefit against hijack at the recursive layer. On the validating side (recursive resolver), already on by default at most modern resolvers. Operational caveat: DNSSEC misconfiguration takes you offline (.gov has done it twice). Use a managed DNS provider that handles signing for you (Route 53, Cloudflare, NS1) unless your team has explicit DNSSEC ops experience.

Can I trust public DoH resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8)?

For privacy-from-ISP, yes. For corporate use, no — you lose telemetry and bypass enterprise filtering. The right enterprise pattern: corporate clients use a corporate DoH endpoint (your Cloudflare Gateway / Umbrella / NextDNS instance) so traffic stays observable while still being encrypted-on-wire.

How do I find out if my domain is being misused?

CT log monitoring (crt.sh, Cert Spotter) for unauthorised certs. PassiveDNS providers (DomainTools, RiskIQ, SecurityTrails) for anomalous resolution patterns. WHOIS monitoring for registrar changes. Brand-protection feeds for typosquats. For an Indian enterprise the baseline is CT + brand monitoring; everything else is incremental.

What is a DGA and why do SOCs care?

Domain Generation Algorithm — malware families generate hundreds of pseudo-random domains per day, register one or two with attacker-controlled NS, and use them as C2 fallback. NXDOMAIN bursts to deterministically-shaped names from the same host are a classic DGA fingerprint. The detection signal is well-suited to log-based ML; commercial DNS-security products bake it in.

What about DNS over Tor?

Adds latency and breaks corporate visibility. Mostly used by privacy-focused individuals; rarely seen in enterprise. If you see it on a corporate endpoint, treat it as a threat-hunting hit.

Should I run my own recursive DNS or use a public resolver?

Run your own (Unbound or BIND) for the corporate network: gives you logging, filtering, and visibility. For consumer-grade home use a public resolver (1.1.1.1, 9.9.9.9). The middle ground — corporate using Cloudflare Gateway / Umbrella — combines logging with threat intel.

What is a sinkhole and when do I use one?

A sinkhole DNS server returns a benign IP (often a security team-controlled box) for queries to known-malicious domains. The infected host connects to the sinkhole instead of the C2; the sinkhole logs everything. Useful for malware research and active incident response; integrate with PDNS feeds for sources of "known bad".

DNS Attacks 2026 — Cache Poisoning, Tunneling, DGAs

Read as

Last updated: May 1, 2026

DNS is unauthenticated, mostly unencrypted, and the precondition for every connection on the Internet. This module walks through how a query actually resolves (recursive vs authoritative), the attack catalogue (cache poisoning, hijack, tunnelling, NXDOMAIN exfil), and the modern defences (DNSSEC where you can, DoT/DoH for transport privacy, RPZ + threat intelligence for blocking). Because every C2 channel and exfiltration path eventually touches DNS, defenders who instrument DNS catch more than defenders who instrument anything else.

DNS is the phonebook of the Internet but it is also a control plane, a sensor for every connection your hosts initiate, and one of the most-abused protocols in existence. This module is the practitioner-grade introduction: how queries actually resolve, the major attack classes and the real incidents that happened, and what to log so the SOC catches lateral movement and exfil before it matters.

How a DNS query actually resolves — the four-tier dance

You type ringsafe.in; your OS asks the configured stub resolver; the stub forwards to a recursive resolver (your ISP, 1.1.1.1, 8.8.8.8, or your corporate DNS); the recursive resolver, if it does not have a cached answer, asks the root (“who serves .in?”); root replies with NS records for .in; recursive asks .in TLD; .in replies with NS records for ringsafe.in; recursive asks ringsafe.in’s authoritative server; that server returns the A/AAAA records. Recursive caches the response per its TTL.

Why this matters for securityany intermediary in this chain can manipulate or observe the answer. Cache poisoning targets the recursive layer. Registrar/authoritative compromise (Sea Turtle, DNSpionage) targets the authoritative layer. Mass surveillance of users targets the recursive resolver — which is why DoH/DoT exist.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

DNS — From Resolution to Tunneling, Cache Poisoning, and DoH-Driven Bypass

How a DNS query actually resolves — the four-tier dance

Custom team training + practitioner advisory

Other modules in this track

Networking Fundamentals — OSI, TCP/IP, and Why Layers Actually Matter

Packet Analysis with Wireshark — From “Open the PCAP” to Diagnosing Real Incidents

Network Protocols Deep Dive — ARP, DHCP, ICMP, DNS, HTTP and the Trust They Assume