1. Introduction

Everything on the internet starts with DNS — the Domain Name System, or the system of domain names. When you enter example.com in your browser, your computer makes a request to a DNS server, which translates the domain name into an IP address to connect to the desired website.

But what if DNS starts to "eat not what is needed"?

What is DNS Eating?

DNS Eating is a new attack technique in which attackers force DNS resolvers to accept malicious responses instead of correct data. This can lead to: ✅ Redirecting traffic to phishing sites.
✅ Disrupting services through DNS cache poisoning.
✅ Complete control takeover of the victim's traffic.

How Does DNS Eating Differ from Regular DNS Attacks?

🔹 Unlike DNS Spoofing, where the attacker forges one specific response, DNS Eating makes the server swallow false information and continue to use it.
🔹 Unlike DNS Hijacking, where attackers redirect requests through a hacked server, DNS Eating affects the request handling process itself, deceiving the system at a deep level.

Why Is This a Threat?

DNS has always been considered a weak link in internet security. Many attacks use cache poisoning, fake records, and even attacks on the infrastructure of root servers. But DNS Eating makes the situation even worse: 🚨 It is invisible to the user.
🚨 It can remain active for a long time.
🚨 It allows complete control over the victim's internet traffic.

2. How Does DNS Work and Why Is It Vulnerable?

Before delving into how attackers force DNS to "eat" malicious data, let's understand how DNS works and where its weaknesses lie.

2.1. How Does the DNS System Work?

DNS (Domain Name System) is a global database that links domain names (example.com) with their IP addresses (192.168.1.1). This process is called DNS resolution and occurs in several stages:

1️⃣ You enter a domain name in your browser (example.com).
2️⃣ Your computer sends a request to a DNS resolver (usually your provider's server).
3️⃣ The resolver searches for the answer in its cache:

• If the address is already in the cache → it provides the answer immediately.
• If not → it queries the root DNS servers.
  4️⃣ The root server points to the .COM zone server.
  5️⃣ The .COM zone server directs the resolver to the DNS server for example.com.
  6️⃣ The resolver obtains the IP address and sends it to the browser.
  7️⃣ The browser connects to the desired IP and loads the website.

2.2. Where Are the Weak Spots of DNS?

DNS was not originally designed with security in mind, so it has several critical vulnerabilities:

🔴 Cache Poisoning
An attacker forges a DNS response and forces the resolver to remember false information. After this, all users of that server begin to receive fake IP addresses.

🔴 Lack of Encryption
Most DNS requests are transmitted in plain text (UDP), allowing attackers to eavesdrop and tamper with them.

🔴 Provider-Side Manipulations
Some Internet Service Providers intentionally alter DNS requests, substituting ads or blocking websites.

🔴 Attacks on DNS Servers
DDoS attacks on root and authoritative DNS servers can take down entire domains, making them inaccessible.

2.3. Why Does DNS Eating Work?

DNS Eating exploits the weak spots of DNS by forcing the server to "swallow" a forged response. Unlike regular cache poisoning, DNS Eating integrates deeper into the request handling process, causing the resolver to trust malicious data for a much longer period.

3. What is "DNS Eating"?

Now let's understand how DNS Eating differs from other attacks and why it represents a new level of threat.

3.1. The Difference Between DNS Eating and Classic Attacks

3.2. How to Make DNS "Eat" False Data?

DNS Eating uses a combination of methods to make the server not just accept a fake response, but completely rely on it in the future.

🔴 Long-Term Caching Trick

• The attacker sends a forged response with a very long TTL (Time-To-Live).
• The DNS server "eats" this response and stores it for days or weeks.

🔴 Manipulating the Chain of Trust

• If one DNS resolver is already poisoned, it can propagate false data further across the network.

🔴 On-the-fly Injection

• A hacker intercepts real DNS requests and inserts malicious responses faster than the legitimate server.

3.3. Why Is DNS Eating Harder to Detect?

🚨 It Doesn't Appear Suspicious — after all, the DNS server is receiving a "legitimate" response.
🚨 The Attack Lives Long — false data can remain in the cache for weeks.
🚨 Even Clearing the Cache May Not Help — if the false records have already spread across the network.

4. Attack Mechanism: How Does DNS "Eat the Wrong Data"?

Now let's break down the attack step-by-step and demonstrate how attackers force the DNS resolver to "eat" false data.

4.1. Stage 1: Interfering with DNS Requests

🔹 The victim requests example.com from their DNS resolver.
🔹 The resolver does not find an answer in the cache and sends a request to the authoritative server.
🔹 The attacker intercepts this request using:

• MITM (Man-in-the-Middle)
• DNS Spoofing
• Fake response with a forged IP

📌 What Does the Victim See?
💬 Everything appears normal—the site loads, but in reality, it redirects to a phishing server.

4.2. Stage 2: Fake Response and Data Substitution

🔴 The attacker sends a forged DNS response faster than the legitimate server.
🔴 This response includes a fake IP and a very long TTL (Time-To-Live) value.
🔴 The DNS server "eats" this response and caches it for an extended period.

📌 What Happens?
✅ Now, all users who query this DNS resolver receive the malicious IP instead of the legitimate one.

4.3. Stage 3: Spreading Infected Data

💀 The most frightening aspect is the chain reaction. If the compromised DNS resolver shares data with others, the false information can spread throughout the entire network.

🔹 Provider DNS servers trust each other.
🔹 The compromised server can "infect" neighboring DNS servers.
🔹 As a result, the attack persists much longer than with standard cache poisoning.

📌 How Does This Look in Practice?
🚨 You enter bank.com, but end up not at the bank, but on the attacker's site.
🚨 Even if you restart your router or clear the DNS cache, the attack won't disappear until the compromised server updates.

4.4. Why Is This More Dangerous Than Regular DNS Spoofing?

📌 Conclusion:
DNS Eating is not merely response spoofing, but a profound manipulation of the DNS resolver that can remain undetected for weeks.

5. Real-World Examples of Attacks with "Eating" DNS

Now let's examine real cases of attacks where attackers used DNS manipulations to force resolvers to "eat" false data and propagate it further.

5.1. DNS Eating in the Financial Sector

📍 Scenario:
🔹 Hackers conducted an attack on a major bank's DNS resolver.
🔹 They implanted false records for bank-login.com, replacing the IP address with their own server.
🔹 Due to the long TTL, the attack lasted almost a week before the bank's IT department noticed anomalies.
🔹 Users entered their logins and passwords on a fake page, handing over their credentials to the attackers.

✅ Consequences:

• Compromise of thousands of accounts.
• Fraudulent transfers and money theft.
• Long recovery process after the incident.

5.2. Software Update Substitution via DNS Eating

📍 Scenario:
🔹 A major provider's DNS server "ate" false data about updates for updates-software.com.
🔹 The malicious DNS record pointed to the attackers' server, from which users downloaded fake updates.
🔹 The malicious software implanted backdoors into victims' systems, allowing hackers to control their devices.

✅ Consequences:

• Massive infection of corporate networks.
• Cyber espionage and data leaks.
• Use of infected machines for DDoS attacks.

5.3. DNS Eating in Attacks on Cryptocurrency Exchanges

📍 Scenario:
🔹 Hackers carried out an attack on a cryptocurrency exchange's DNS.
🔹 All requests to crypto-exchange.com were redirected to a phishing site.
🔹 Users entered their API keys, passwords, and 2FA codes without noticing the deception.
🔹 Within a few hours, attackers withdrew millions of dollars from exchange accounts.

✅ Consequences:

• Significant losses of crypto assets.
• Loss of trust in the exchange and user exodus.
• Regulatory investigations and fines.

5.4. Why Are These Attacks Difficult to Detect?

🚨 Users don't notice any difference — the site loads as usual.
🚨 Malicious data persists for a long time thanks to TTL manipulation.
🚨 Traffic can even be redirected through a proxy with HTTPS.
🚨 Even after deleting fake DNS records, they can remain cached on other servers.

6. How to Protect Against DNS Eating?

Now let's explore protective measures that help prevent attacks forcing DNS to "eat" malicious data.

6.1. DNSSEC: Digital Signatures for DNS Queries

DNSSEC (Domain Name System Security Extensions) is a DNS extension that adds cryptographic protection to the domain name resolution process.

✅ How It Works:

• Each DNS record is digitally signed.
• If an attacker tries to alter a record, the signature fails verification.
• The resolver receives only verified data, ignoring fake responses.

❌ Disadvantages of DNSSEC:

• Not all domains and resolvers support DNSSEC.
• Providers may not enable verification by default.
• Requires additional configuration and infrastructure updates.

6.2. Trust Chain Control

🚨 What to Do: ✔ Use only trusted DNS servers (Google DNS, Cloudflare, OpenDNS).
✔ Enable DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to protect queries.
✔ Regularly clear the DNS cache to eliminate potential infected records.

6.3. Monitoring and Anomaly Detection

🔍 How to Detect DNS Eating:

• Set up DNS query logging and analyze for suspicious changes.
• Verify that the IP addresses of important domains match known values.
• Use network traffic monitoring systems (Suricata, Zeek) to identify anomalies.

🚨 Signs of an Attack: ⚠ Sudden changes in domain IP addresses without updates from the owner.
⚠ Logs indicate that different users receive different IPs for the same domain.
⚠ A high number of requests to unknown servers from network users.

6.4. Using Resilient DNS Solutions

📌 Solutions for Protecting DNS Infrastructure: ✔ Quad9 (9.9.9.9) – a free, secure DNS with threat filtering.
✔ Google Public DNS (8.8.8.8, 8.8.4.4) – a fast and reliable alternative to ISP DNS.
✔ Cloudflare DNS (1.1.1.1, 1.0.0.1) – a high-speed DNS with protection against tampering.

🚨 Why Are ISP DNS Servers Unreliable? ❌ They may alter results (advertisement pages, blocks).
❌ They often do not use DNSSEC and are vulnerable to attacks.
❌ They can log user traffic for commercial purposes.

6.5. What Should Users Do?

🔒 Tips for Protecting Against DNS Eating: ✔ Use secure public DNS (Cloudflare, Google, Quad9).
✔ Enable DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) in your browser and router settings.
✔ Manually verify the IP addresses of important websites before logging in (e.g., via nslookup).
✔ Use a VPN that has its own secure DNS servers.
✔ Regularly check DNS query logs for suspicious changes.

7. Conclusion

Now we know that DNS Eating is a new and dangerous attack technique that forces DNS resolvers to "eat" false data, spreading it among users. This attack is long-term, difficult to detect, and can be used for:

🔹 Redirecting users to fake websites.
🔹 DNS cache poisoning with fake IP addresses.
🔹 Compromising financial services and stealing data.
🔹 Substituting software updates and spreading malicious code.

7.1. How to Prevent DNS from "Eating" Bad Stuff?

✅ Use DNSSEC – to have servers sign responses with digital keys.
✅ Switch to secure DNS – Google (8.8.8.8), Cloudflare (1.1.1.1), Quad9 (9.9.9.9).
✅ Enable DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) – to encrypt DNS queries.
✅ Set Up DNS Traffic Monitoring – track anomalous IPs and sudden changes.
✅ Clear and Restart the Cache – at the slightest suspicion of interference.
✅ Use a VPN – with built-in protection against DNS attacks.

🚨 The main rule – do not trust provider DNS without verification!

7.2. Final Advice

💡 If your DNS starts "eating" something strange – urgently check what is being fed to it!

🚀 Protecting against DNS attacks is not just a one-time setup, but continuous monitoring and security updates.