The attacks fall into a number of categories. The most important are domain spoofing, denial-of-service attacks, and domain hijacking.
Domain spoofingThe category called domain spoofing includes all the ways of getting a DNS request to return an invalid result. If it succeeds, users will reach a bogus server. Typically, it's a lookalike site designed to trick people into giving their credentials or to download malware.
A man-in-the-middle attack interposes a malicious node between the client and the DNS server and alters the request or the response. It can work because the DNS protocol isn't secure. The DNSSEC protocol adds authentication, making such attacks harder, but even then the request and response aren't encrypted. If any step along the Internet connection (such as a public Wi-Fi hotspot or proxy) is untrustworthy, there's a risk of spoofing by this technique.
Another technique is to set up a malicious DNS server and publicize it. This isn't a very effective technique, since it will only affect clients that use it. A malicious VPN can use this technique, directing its users to deceptive sites through its own DNS.
The best-known technique is cache poisoning. If an attacker gets a DNS server to give an incorrect domain mapping once, it will stay in the server's cache for some time. The maximum time depends on the domain record's TTL (time to live) setting. The TTL is often hours long, allowing a lot of misdirections. Cache poisoning requires first finding some vulnerability to inject a false result once.
Denial-of-service attacksOn October 21, 2016, Dyn's DNS servers came under a heavy denial-of-service attack. As a result, many well-known websites were unavailable in much of North America for most of the day. This technique is effectively a denial-of-service attack on multiple sites at once. DNS requests timed out, so people weren't able to reach the websites.
A botnet floods the DNS server with so many requests that it can't keep up. One common technique is to query non-existent domains, such as
xrrqxpq5511[dot]com. Each request is for a different domain, so the server can't cache its results. A variant is to ask for nonexistent subdomains, like
rr824mw1[dot]facebook[dot]com. A third trick is to use malformed queries that create an extra processing burden for the server.
Domain hijackingThe most dangerous DNS attack is one that alters or grabs control of a domain's registry records. This can redirect clients for days or more. It's the legitimate owner's job to get the records fixed or challenge the reassignment of ownership.
Short of taking ownership of the whole domain, an attacker can change its DNS records so that they point to a malicious domain name server. It will return a
different IP address for the domain, one hosting a site that impersonates the real one, effectively stealing your traffic. It can use any number of tricks to get visitors' passwords or to deliver malware, stealing private information from the computer, and damaging the system.