Secure DNS: DNSSEC and DNS over HTTPS (DoH)

The Domain Name System (DNS) translates human-readable domain names into IP addresses. Designed in the 1980s, DNS was built without security — queries and responses travel over UDP/TCP port 53 in plaintext with no authentication. This creates two major vulnerabilities: DNS cache poisoning (injecting forged DNS responses to redirect users to malicious servers) and DNS eavesdropping (observing which domains a user queries reveals their browsing activity). Two standards address these: DNSSEC prevents forgery, and DNS over HTTPS (DoH) prevents eavesdropping.

DNS cache poisoning (Kaminsky attack) exploits the DNS protocol's lack of authentication. A resolver sends a query to an authoritative DNS server and caches the response for the TTL duration. An attacker who can guess the transaction ID (16-bit, predictable) and source port (used as additional entropy since RFC 5452) can send forged responses that the resolver caches, redirecting all users who query that resolver to the attacker's server. Once the cache is poisoned, users are directed to fake servers even though they typed the correct domain. DNSSEC prevents this by digitally signing DNS responses.