Editing Domain Name System (section)

==Security issues==
Originally, security concerns were not major design considerations for DNS software or any software for deployment on the early Internet, as the network was not open for participation by the general public. However, the expansion of the Internet into the commercial sector in the 1990s changed the requirements for security measures to protect [[data integrity]] and user [[authentication]].

Several vulnerability issues were discovered and exploited by malicious users. One such issue is [[DNS cache poisoning]], in which data is distributed to caching resolvers under the pretense of being an authoritative origin server, thereby polluting the data store with potentially false information and long expiration times (time-to-live). Subsequently, legitimate application requests may be redirected to network hosts operated with malicious intent.

DNS responses traditionally do not have a [[cryptographic signature]], leading to many attack possibilities; the [[Domain Name System Security Extensions]] (DNSSEC) modify DNS to add support for cryptographically signed responses.<ref>{{Cite journal |last1=Herzberg |first1=Amir |last2=Shulman |first2=Haya |date=2014-01-01 |title=Retrofitting Security into Network Protocols: The Case of DNSSEC |url=https://ieeexplore.ieee.org/document/6756846 |journal=IEEE Internet Computing |volume=18 |issue=1 |pages=66–71 |doi=10.1109/MIC.2014.14 |s2cid=12230888 |issn=1089-7801}}</ref> [[DNSCurve]] has been proposed as an alternative to DNSSEC. Other extensions, such as [[TSIG]], add support for cryptographic authentication between trusted peers and are commonly used to authorize zone transfer or dynamic update operations.

Techniques such as [[forward-confirmed reverse DNS]] can also be used to help validate DNS results.

DNS can also "leak" from otherwise secure or private connections, if attention is not paid to their configuration, and at times DNS has been used to bypass firewalls by malicious persons, and [[Data exfiltration|exfiltrate]] data, since it is often seen as innocuous.

=== DNS spoofing ===
Some domain names may be used to achieve spoofing effects. For example, {{mono|{{not a typo|paypal.com}}}} and {{mono|{{not a typo|paypa1.com}}}} are different names, yet users may be unable to distinguish them in a graphical user interface depending on the user's chosen [[typeface]]. In many fonts the letter ''l'' and the numeral ''1'' look very similar or even identical. This problem, known as the [[IDN homograph attack]], is acute in systems that support [[internationalized domain name]]s, as many character codes in [[ISO 10646]] may appear identical on typical computer screens. This vulnerability is occasionally exploited in [[phishing]].<ref>APWG. "Global Phishing Survey: Domain Name Use and Trends in 1H2010." [http://www.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2010.pdf 10/15/2010 apwg.org] {{Webarchive|url=https://web.archive.org/web/20121003212327/http://apwg.org/reports/APWG_GlobalPhishingSurvey_1H2010.pdf|archive-url=https://web.archive.org/web/20101025105629/http://apwg.org/reports/APWG_GlobalPhishingSurvey_1H2010.pdf|archive-date=2010-10-25|url-status=live|date=2012-10-03}}</ref>

=== DNSMessenger ===
DNSMessenger<ref>{{Cite web |title=DNSMessenger (Malware Family) |url=https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger |access-date=2024-12-11 |website=malpedia.caad.fkie.fraunhofer.de}}</ref><ref>{{Cite web |last=Khandelwal|first=Swati |title=New Fileless Malware Uses DNS Queries To Receive PowerShell Commands |url=https://thehackernews.com/2017/03/powershell-dns-malware.html|date=2017-03-06 |access-date=2024-12-11 |website=The Hacker News |language=en}}</ref><ref>{{Cite web |last=Brumaghin|first=Edmund|date=2017-03-02 |title=Covert Channels and Poor Decisions: The Tale of DNSMessenger |url=https://blog.talosintelligence.com/dnsmessenger/ |access-date=2024-12-11 |website=Cisco Talos Blog |language=en}}</ref><ref>{{Cite AV media |url=https://www.youtube.com/watch?v=slNe6z9gFv0 |title=It's DNS again 😢 Did you know this Malware Hack? |date=2023-05-26 |last=Bombal|first=David|access-date=2024-12-11 |via=YouTube}}</ref> is a type of cyber attack technique that uses the  DNS to communicate and control malware remotely without relying on conventional protocols that might raise red flags. The DNSMessenger attack is covert because DNS is primarily used for domain name resolution and is often not closely monitored by network security tools, making it an effective channel for attackers to exploit.

This technique involves the use of DNS TXT records to send commands to infected systems. Once malware has been surreptitiously installed on a victim's machine, it reaches out to a controlled domain to retrieve commands encoded in DNS text records. This form of malware communication is stealthy, as DNS requests are usually allowed through firewalls, and because DNS traffic is often seen as benign, these communications can bypass many network security defenses.

DNSMessenger attacks can enable a wide array of malicious activities, from data exfiltration to the delivery of additional payloads, all while remaining under the radar of traditional network security measures. Understanding and defending against such methods are crucial for maintaining robust cybersecurity.