What happens when DNS breaks?

When DNS fails, your browser cannot translate domain names into IP addresses, making websites unreachable even though the servers are running fine. The 2016 attack on Dyn's DNS infrastructure took down Twitter, Netflix, Reddit, and many other major services for hours.

Are DNS queries encrypted?

Traditional DNS queries are sent in plaintext, meaning anyone on the network path (ISPs, Wi-Fi operators, attackers) can see which websites you are visiting. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt these queries to protect privacy.

What public DNS resolvers do you recommend?

Popular options include Cloudflare (1.1.1.1), which focuses on privacy and speed, Google Public DNS (8.8.8.8), which offers reliability and global coverage, and Quad9 (9.9.9.9), which includes built-in malware blocking. All three support encrypted DNS protocols.

When DNS Breaks, the Internet Stops - The Phone Book's Vulnerabilities and Defenses

DNS - When the Internet's Phone Book Breaks

DNS (Domain Name System) is the system that converts domain names like "example.com" into IP addresses. Every time you type a URL into your browser, a DNS query happens behind the scenes. If this conversion fails, you can't access any website unless you know its IP address directly.

DNS is often compared to the internet's "phone book," but this phone book is surprisingly fragile. Design weaknesses, human error, deliberate attacks - the causes of DNS failures are numerous, and their impact ripples across the entire internet.

Real Incidents Where DNS Broke

DDoS Attack on Dyn (October 2016)

On October 21, 2016, DNS provider Dyn was hit by a massive DDoS attack, making hundreds of major services including Twitter, Netflix, GitHub, Spotify, and Reddit inaccessible for several hours.

The attack used the Mirai botnet - hundreds of thousands of IoT devices (webcams, routers, DVRs) infected with malware simultaneously flooded Dyn's DNS servers with queries. Attack traffic reportedly peaked at 1.2 Tbps.

This incident exposed how many major services depended on a single DNS provider. If there's only one copy of the "phone book," the moment that copy becomes unavailable, everything stops.

Cloudflare BGP Leak (2020)

In July 2020, routes to Cloudflare's DNS service (1.1.1.1) were incorrectly advertised due to a BGP configuration error at an ISP, causing users worldwide to be unable to reach Cloudflare's DNS. Even when DNS itself is functioning normally, if the "road" to the DNS server is broken, the result is the same.

.com Zone File Corruption (2021)

In April 2021, a temporary issue occurred with the .com zone file managed by Verisign, causing name resolution failures for some .com domains. Since .com is the most widely used top-level domain in the world, problems with its management system have far-reaching consequences.

Structural Vulnerabilities of DNS

1. Unencrypted Plaintext Communication

Traditional DNS queries are sent unencrypted over UDP port 53. ISPs, Wi-Fi access point operators, and network eavesdroppers can easily intercept which domains you're trying to access. DNS over HTTPS (DoH) and DNS over TLS (DoT) solve this problem, but adoption is still in progress.

2. DNS Cache Poisoning

An attack where an attacker injects false responses into a DNS resolver's cache, redirecting users to fake sites. The vulnerability discovered by Dan Kaminsky in 2008 exploited a fundamental design weakness in DNS and was a serious issue affecting the entire internet. DNSSEC (DNS Security Extensions) is a countermeasure, but adoption rates remain low.

3. Concentration of Single Points of Failure

DNS root servers are operated by 13 operators, but in practice, hundreds of instances are distributed worldwide using Anycast technology. However, the risk of failures concentrating on specific TLD (Top-Level Domain) authoritative servers or specific DNS providers remains.

Technologies That Protect DNS

DNSSEC: Adds digital signatures to DNS responses to detect tampering. However, it doesn't encrypt queries
DNS over HTTPS (DoH): Encrypts DNS queries over HTTPS, preventing both eavesdropping and tampering
DNS over TLS (DoT): Encrypts DNS queries over TLS. Same purpose as DoH but uses a dedicated port (853)
Redundancy: Using multiple DNS providers so that if one fails, name resolution can continue through others

Check Your DNS Settings

Check your connection information on IP Check-san and run a DNS leak test to see which servers your DNS queries are being sent to. If you're using your ISP's default DNS, it's worth considering switching to one of these public DNS services.

Cloudflare (1.1.1.1): Privacy-focused. Deletes query logs after 24 hours
Google (8.8.8.8): Fast and reliable. However, query data is sent to Google
Quad9 (9.9.9.9): Includes malware domain blocking

Summary

DNS is one of the internet's most fundamental infrastructure components, yet also one of its most fragile links. Unencrypted plaintext communication, cache poisoning vulnerabilities, and dependence on single providers - these issues are gradually being addressed through DoH/DoT adoption, DNSSEC deployment, and DNS provider redundancy.

DNS - When the Internet's Phone Book Breaks

Real Incidents Where DNS Broke

DDoS Attack on Dyn (October 2016)

Cloudflare BGP Leak (2020)

.com Zone File Corruption (2021)

Structural Vulnerabilities of DNS

1. Unencrypted Plaintext Communication

2. DNS Cache Poisoning

3. Concentration of Single Points of Failure

Technologies That Protect DNS

Check Your DNS Settings

Summary

Related Terms in This Article

Related Articles

What Is a DNS Leak? Risks and Prevention When Using a VPN

What Is DNS over HTTPS (DoH)? How It Works and How to Set It Up

What Is Do Not Track (DNT)? How to Set It Up and Its Real Effectiveness

How HTTPS and TLS Work: The Encryption Behind Secure Communication

Email Security Basics: How to Protect Yourself from Phishing

What Is a VPN? How It Works, Benefits, and How to Choose One