🛡️ Free practice test question from: DNS vulnerabilities (Security+)

The original DNS (Domain Name System) was designed without robust security measures to authenticate responses. This lack of authentication makes it susceptible to cache poisoning attacks, where an attacker can send forged DNS responses to a resolver. These malicious responses can redirect users to fraudulent or malicious websites without their knowledge.

DNSSEC (Domain Name System Security Extensions) was specifically developed to address this vulnerability by adding cryptographic signatures to DNS data. These signatures allow resolvers to verify the authenticity and integrity of DNS responses, effectively mitigating the risk of cache poisoning and ensuring that users are directed to legitimate websites.

D) Man-in-the-middle attack intercepting TLS traffic: While a serious threat, this attack targets the encryption layer (TLS) rather than the fundamental weaknesses of DNS itself.

B) Distributed denial-of-service (DDoS) attack on DNS servers: DDoS attacks overwhelm servers with traffic but do not exploit the specific lack of authentication in DNS responses.

C) Social engineering attack tricking users: This involves manipulating users directly rather than exploiting technical vulnerabilities in DNS.