DNS and DHCP Attacks: CISSP Network Security Guide

DNS and DHCP attacks target core network services to redirect traffic or cause outages. Key network attack types include DNS cache poisoning, which redirects users to malicious sites, and DHCP starvation or rogue servers, which compromise IP assignment. Defending these requires DNSSEC, DHCP snooping, and strict network segmentation.

Why are DNS and DHCP such high-value targets for attackers?

Think of DNS as the phonebook of the internet and DHCP as the welcome mat for every device entering your network. Because these protocols are foundational, they are often implicitly trusted. If an attacker can compromise your DNS or DHCP services, they don't need to hack into a specific server; they can simply redirect your entire user base to a malicious clone of your login page.

For the CISSP exam, specifically within Domain 4 (Communication and Network Security), you must recognize that these protocols were designed for efficiency and connectivity, not security. They lack inherent authentication, making them prime targets for man-in-the-middle (MitM) attacks. Understanding this 'trust gap' is the first step in implementing the Zero Trust architectures that ISC2 expects you to know.

How does DNS Cache Poisoning actually work?

DNS cache poisoning, or DNS spoofing, happens when an attacker injects a fraudulent DNS entry into a recursive resolver's cache. When a user requests 'bank.com', the poisoned resolver provides the attacker's IP address instead of the real one. The user's browser shows the correct URL, but the content is served by the attacker, leading to massive credential theft.

To pull this off, attackers often flood a resolver with forged responses, hoping one matches the transaction ID of a pending request. From a practical standpoint, this highlights the danger of open resolvers. You should focus on the impact: it's not just about a single user, but potentially every user relying on that specific DNS server. This is a classic example of how a failure in data integrity leads to a total loss of confidentiality.

What is the difference between DHCP Starvation and Rogue DHCP servers?

While both target DHCP, their goals are different. DHCP Starvation is a Denial of Service (DoS) attack. The attacker floods the DHCP server with thousands of fake MAC addresses, requesting every available IP in the pool. Once the pool is exhausted, legitimate users can't get an IP address and are effectively kicked off the network.

On the other hand, a Rogue DHCP server is a Man-in-the-Middle play. The attacker sets up their own DHCP server on the network. When a client sends a DHCP Discover packet, the rogue server responds faster than the legitimate one, assigning the client a fake default gateway and a fake DNS server. Now, all the client's traffic flows through the attacker's machine. In a real-world scenario, this is why we implement DHCP snooping on our switches to ensure only trusted ports can send DHCP Offer packets.

How does DNSSEC stop spoofing and poisoning?

DNS Security Extensions (DNSSEC) is the primary defense against cache poisoning. It doesn't encrypt the data—which is a common trap on the CISSP exam—but it adds digital signatures to DNS records. When a resolver receives a DNSSEC-signed record, it uses a public key to verify that the data is authentic and hasn't been tampered with in transit.

This creates a 'chain of trust' from the root zone down to the individual domain. If the signature doesn't match, the resolver discards the data. When you're studying for the exam, remember that DNSSEC provides integrity and origin authentication. If the question asks about confidentiality or privacy, DNSSEC is not the answer; you'd be looking for DNS over HTTPS (DoH) or DNS over TLS (DoT) for that.

What are the best practical defenses against these network attack types?

Defense in depth is the name of the game here. To stop DHCP attacks, you need to enable DHCP snooping on your Layer 2 switches. This allows you to define 'trusted' ports (where your real DHCP server lives) and 'untrusted' ports (where users connect). Any DHCP Offer coming from an untrusted port is immediately dropped.

For DNS, beyond implementing DNSSEC, you should harden your resolvers and disable open recursion to prevent your servers from being used in amplification attacks. We always tell our students that theory is great, but applying these concepts to practice questions is where the real learning happens. That's why we provide 1,000 expert-curated ISC2 CISSP practice questions at Cert Sensei, complete with detailed reasoning and domain-level analytics to show you exactly where your network security knowledge is lacking.

How should you approach these questions on the CISSP exam?

When you see a question about DNS or DHCP, stop thinking like a technician and start thinking like a Risk Manager. The exam won't just ask you 'what is a rogue DHCP server?'; it will ask you which control best mitigates the risk of unauthorized IP assignment in a high-security environment.

Always look for the answer that addresses the root cause. If the problem is a lack of trust in the protocol, the answer will likely involve a cryptographic solution (like DNSSEC) or a hardware-level restriction (like DHCP snooping). Use our performance analytics to track your accuracy in Domain 4; if you're consistently missing these, go back to the 'detailed reasoning' sections in our practice exams to understand the logic behind the correct answer.

❓ Frequently Asked Questions