What Is DNS (Domain Name System)?

The Domain Name System works like a directory that translates domain names into IP addresses so users don't need to memorize long sequences of numbers. The basic flow of DNS resolution follows six steps. Here is an example of how it would help a user get to google.com:

1. The user enters “google.com” into a browser.
2. A recursive resolver receives the request and queries a root name server to begin locating the domain's IP address.
3. The root name server directs the resolver to the “.com” top-level domain (TLD) name server.
4. The TLD name server points the resolver to the domain's authoritative name server.
5. The authoritative name server provides the resolver with an IP address for google.com.
6. The resolver caches the response and returns the IP address to the user’s device, enabling a connection to google.com.

Core Types of DNS Servers

Here's a quick summary of what each server in the hierarchy does:

• Recursive resolver: Receives user queries and performs the iterative search process, contacting the relevant servers until the IP address is found.
• Root name server: The starting point of the query process, directing recursive resolvers to the appropriate TLD name server for the requested domain.
• TLD name server: Stores information about domain names within a specific TLD (e.g., .com, .org) and routes queries to the appropriate authoritative name server.
• Authoritative name server: Holds the definitive resource records (e.g., IP addresses, mail server details) for a domain and answers queries from recursive resolvers.

DNS is foundational to how users, devices, and applications connect to the internet—powering access to websites, cloud services, email, and SaaS platforms. But DNS was designed decades ago for a smaller, more trusted internet, where availability and scalability mattered more than security. This creates security gaps in today’s threat landscape. Because DNS is often allowed by default and historically lacked authentication/encryption, attackers use it to redirect users, deliver malware, and exfiltrate data. While extensions like DNSSEC help validate the integrity of DNS responses, adoption remains limited due to complexity and operational overhead. As a result, much of today’s internet still relies on a system that lacks native authentication and encryption.

Attackers increasingly exploit this gap. DNS is frequently used to redirect users, hide malicious activity, exfiltrate data, and disrupt services. Research from IDC shows that DNS played a role in 70% of attacks, 90% of organizations experiencing at least one DNS-related incident in a single year. As encrypted protocols like DNS over HTTPS (DoH) reduce visibility for traditional security tools, DNS security has become a critical control point. Without purpose-built protection, DNS remains one of the most exploited—and least protected—attack surfaces in modern networks.

DNS is inherently trusted and widely permitted, making it a prime target for attackers. Because DNS traffic often bypasses traditional inspection, threat actors use it to redirect users, hide malicious activity, and quietly move data out of networks.

• DNS amplification is a distributed denial of service (DDoS) attack that tricks DNS servers into sending large responses to small requests, with the victim’s IP address spoofed as the sender. These amplified responses flood the victim’s server, overwhelming it and causing service disruptions.
• DNS spoofing intercepts and replaces legitimate DNS responses with malicious ones, redirecting users to harmful websites designed to steal data or deliver malware.
• DNS cache poisoning injects fake entries into a server’s cache to misdirect users to malicious domains. Poisoned entries remain active until the cache is cleared.
• DNS flooding, another type of DDoS attack, involves querying a DNS server many times in a short period, causing it to slow down or crash.
• DNS tunneling is a technique threat actors use to covertly send or receive data through domain queries. Because the traffic is implicitly trusted, it bypasses traditional firewalls and detection systems, enabling malware delivery and data theft.
• DNS hijacking involves taking control of DNS settings or altering resource records, usually by compromising a DNS server or router, to stealthily redirect user traffic to malicious servers.
• Typosquatting (or domain impersonation) exploits common typos in domain names (e.g., "offlice365[.]com") to direct users to phishing sites or other malicious destinations.

Securing DNS requires a layered approach that balances visibility, protection, and performance. The following best practices help reduce risk while maintaining reliable access to internet and cloud services.

• Detect DNS-based threats: Monitor DNS activity in real time to identify anomalous behavior, suspicious domains, and indicators of data exfiltration or command-and-control activity.
• Apply DNS filtering: Block access to known malicious or high-risk domains with filtering. Customize the filters to flag risky or inappropriate domains, and use domain reputation data to refine policies further.
• Enable logging and analytics: Capture detailed DNS logs and metadata to support threat hunting, incident response, and compliance reporting across users, devices, and locations.
• Use DNSSEC where appropriate: Validate DNS responses to prevent spoofing and cache poisoning attacks, while recognizing that DNSSEC alone does not stop malware or phishing.
• Watch for DNS tunneling: Identify abnormal query patterns, payload sizes, or frequencies that may indicate covert data transfer over DNS.
• Adopt zero trust principles: Ensure policies based on user identity, device posture, and context to ensure DNS requests are trusted, authorized, and continuously evaluated.

Zscaler DNS Security provides comprehensive protection against DNS-based threats while maintaining performance and scale through a cloud native zero trust architecture. Delivered as part of the Zscaler Zero Trust Firewall, DNS security is enforced globally and consistently for all users, devices, and locations. 

• Complete DNS visibility across all traffic: Gain rich DNS logs and contextual insights to support threat hunting, investigations, and compliance. 
• Fast, secure DNS resolution at global scale: Get fast, secure resolution with high availability and automatic failover. Forward traffic efficiently to trusted resolvers and ensure smooth user access to location-based content globally.