The Domain Name System (DNS) is something we all use and depend on, yet don’t really pay much attention to; if you have some time to investigate alternatives, you could really enhance your network’s performance and security.
Before I tell you how to do this, let’s have a brief explanation of what DNS is. Think of what a phone book does; it allows you to look up someone’s phone number so long as you know the person’s name. The DNS does something similar for computers. For example, if you type in “google.com” it translates that name into a sequence of four numbers, called an IP address, which functions something like a phone number does. In this case, google.com’s number is 18.104.22.168.
The overall Internet infrastructure has a series of master phone books, or DNS root servers, located at strategic places around the world and maintained by a collection of public, semi-public, and private providers. They talk to each other on a regular basis to make sure that as we add new domains they are in synch.
As you may imagine, if someone wants to “poison” one of the entries, or misdirect Internet traffic to a phony domain, it can be done with the right amount of subterfuge. This is what happened in 2008 when an Internet provider in Pakistan managed to block access to all of YouTube when they were apparently just trying to keep Pakistanis from viewing a single video. A more comprehensive list of the various flavors of DNS attacks can be found here at Google.com.
Read the rest at eSecurity Planet.