For cybersecurity professionals, the basics upon which an application is secured cannot be overridden. The growing concern for security has given rise to evolving security mechanisms. While this piece attempts to examine some of the vulnerabilities that occur at the internet layer like DNS Spoofing and Cache Poisoning, it will highlight how modern security protocols like DNS Security Extensions (DNSSEC) and DNS over HTTPS (DoH) changes the narrative.

DNS Resolution: What can go wrong?

Translating human-readable domain names like “reinventsecurity.org” into IP address (108.157.78.33) is a great feat within the confines of the internet's evolution. This process is called the DNS Resolution

However, if care is not taken, the DNS is one of the areas attackers look to exploit, redirecting for instance users to malicious, phishing sites. Some of these attacks include:

• DNS Spoofing:To “spoof” means to trick someone. Technically, it is about an attacker impersonating a genuine DNS server to produce malicious or fraudulent IP addresses. For instance, when you type the url into your browser, the computer asks for the IP address of the site. With spoofing, the attacker intercepts and sends a fake one instead; redirecting you to their controlled site, highly a phishing page to steal your credentials.
• DNS Cache Poisoning: While this can be considered a subset of DNS Spoofing, it involves the attacker injecting a malicious script cached into the DNS server. This means for any subsequent request, queries for that particular domain responds with the wrong IP address.
• DNS Hijacking:The attacker takes unauthorised control of a domain' DNS settings. This allows the attacker to compromise the DNS registrar account, router, or have total control in redirecting all network traffic to the malicious site
• DNS Amplification:Massive traffic is generated by sending spoofed DNS queries to overwhelm a network.

Real World Impact: Consequences for Users and Organisations

By barely paying attention to these vulnerabilities and taking security for granted, the impact on users and organisations can be quite devastating. It could lead to the following consequences:

• Phishing
• Data Theft
• Financial Loss
• Reputational Damage
• Denial of Service
• Malware Distribution

Mitigating the Risks

With efforts to contain the security risks involve with DNS attacks, the following strategic mechanism evolved: DNS Security Extension (DNSSEC)and DNS over HTTPS (DoH).

• DNS Security Extensions (DNSSEC):As the name implies, it is one of the protocols suite designed to ensure that data from the DNS are authenticated and trusted. This protects against attacks like cache poisoning, preventing an attacker from modifying queries. In short, it is a protocol that validates and secures the data itself. This means a resolver is prevented from being poisoned or tampered. However, this mechanism does not encrypt DNS queries or responses. This is where DNS over HTTPS (DoH) comes in.
• DNS over HTTPS (DoH):This mechanism encrypts the DNS resolution process, making it difficult for an attacker to manipulate DNS queries. By using a secure protocol like HTTPS to wrap DNS queries, an attacker is shut from seeing the website you visit and away from redirecting the user to a malicious site by spoofing.

Before diving into App Security: Why understanding these risks are critical?

If your goal is to secure applications, then understanding these woven intricacies and attacks proves handy. Application security is as strong as the network it runs on. Understanding, for instance, that DNS is a critical part of the modern internet infrastructure, and building knowledge on these common vulnerabilities, can help professionals priortise the implementation of security measures or strategies like DNS over HTTPS (DoH) and DNS Security Extension (DNSSEC). From here, diving into application security requires solidifying these core concepts, by building applications protected from a wide range of threats like SQL injection, Cross-site scripting (XSS) and so on.

In the end, cybersecurity matters. Organisations, professionals, and users must see it as an ongoing effort to protect network systems, applications, and data from the excruciating rise in cyberattacks year in and year out.