DEV Community

Cover image for Networking for Cybersecurity (Part 2): DNS, Routing & How the Internet Works
Elvin Seyidov
Elvin Seyidov

Posted on

Networking for Cybersecurity (Part 2): DNS, Routing & How the Internet Works

#cybersecurity #network #dns

1. Introduction: Why DNS & Routing Matter in Cybersecurity

DNS and routing are the core of how the internet works. If OSI/TCP-IP explains the structure, DNS and routing explain how devices actually find each other and how data moves from point A to point B. For cybersecurity, this is critical because attackers often target these systems directly - not your app.

DNS decides where you go.
Routing decides how you get there.
DNS decides the destination. Routing decides the path. Attackers abuse both.

If either of these is manipulated, attackers can:

  • Redirect you to fake websites
  • Intercept or reroute traffic
  • Bypass normal security paths
  • Hide malware communication
  • Take parts of the internet offline

Understanding DNS and routing helps you see how traffic flows, where attacks can happen, and how to defend against them. These are not just networking concepts, they are core security concepts, because nearly every major cyberattack interacts with DNS, routing, or both.

A cybersecurity engineer who understands DNS + routing can:

  • Detect DNS poisoning
  • Recognize BGP hijacks
  • Understand how malware hides traffic
  • Debug why traffic is failing
  • Secure internal networks
  • Spot suspicious redirections instantly

2. What DNS Really Does (Full Breakdown)

DNS has three main jobs.

  1. It translates names to IP addresses.
  2. It stores extra information about domains.
  3. It routes your request through a chain of DNS servers until the final answer is found.

DNS is not only a phonebook. It also handles email routing, load balancing, content delivery, subdomain management, and security settings. Many problems on the internet happen because DNS is slow, misconfigured, or poisoned by attackers.

From a security perspective, DNS is a critical point in the communication chain. If an attacker controls DNS, they control where users go. That means they can redirect users to fake sites, hide malware traffic inside DNS queries, or send victims to malicious servers without them noticing.

DNS looks simple on the surface but has many layers and moving parts. Understanding it gives you a huge advantage in detecting and preventing network attacks.

3. DNS Records and Their Security Implications

DNS records are small pieces of information stored in DNS that tell the internet how a domain should behave. Each record type has a specific purpose, and each one can create security risks if not configured correctly.

A Record
Maps a domain name (example.com) to an IPv4 address.
Security note: If an attacker changes this record, users get redirected to a malicious IP.

AAAA Record
Same as A record but for IPv6 addresses.
Security note: Same risk as A record but harder to monitor because IPv6 is less visible.

CNAME
Makes one domain point to another domain.
Security note: If the target domain is compromised, all CNAME-linked domains are also affected.

MX Record
Defines which mail servers handle email for the domain.
Security note: Misconfigured MX records lead to email spoofing and interception.

TXT Record
Stores text. Used for SPF, DKIM, DMARC and verification.
Security note: Incorrect SPF or DMARC settings make email spoofing much easier.

NS Record
Specifies which DNS servers are authoritative for the domain.
Security note: If an attacker changes the NS record, they control the entire domain’s DNS.

SOA Record
Contains administrative info about the domain’s zone.
Security note: Weak SOA settings can make DNS updates less reliable or easier to abuse.

PTR Record
Reverse DNS lookup. IP to domain.
Security note: Often used in email security. Missing PTR increases spam flags.

SRV Record
Used to specify services like SIP, VoIP, or AD domain controllers.
Security note: Wrong SRV records expose internal infrastructure details.

CAA Record
Specifies which certificate authorities are allowed to issue SSL certificates for your domain.
Security note: Protects against unauthorized HTTPS certificates being issued.

4. DNS Resolution: Step-by-Step Process

When you type a domain into your browser, your device must go through several steps to find the correct IP address. This sequence is called DNS resolution. It looks simple on the surface, but there are multiple layers and servers involved.

Here is the full process in plain language.

Step 1: Your device checks its own cache.
If the answer was recently resolved, it is stored locally. No external request is made.

Step 2: Your device asks the DNS resolver (usually your ISP or a public resolver like 8.8.8.8).
The resolver is responsible for doing the full lookup on your behalf.

Step 3: The resolver checks its cache.
If found, it returns the IP immediately.

Step 4: If not found, the resolver contacts a root DNS server.
Root servers tell it which top-level domain server to ask next (for .com, .net, etc).

Step 5: The resolver contacts the TLD server.
The TLD server tells it which authoritative DNS server is responsible for the domain.

Step 6: The resolver contacts the authoritative DNS server.
This server holds the real DNS records for the domain. It returns the final answer (A, AAAA, or CNAME record).

Step 7: The resolver sends the answer back to your device.
Your device stores it in local cache for a short time.

Step 8: Your browser now knows the correct IP and begins the connection using TCP or UDP.

From a cybersecurity perspective, every step is a potential attack surface. DNS poisoning, man-in-the-middle, spoofing, cache manipulation, and forged responses can all occur in this chain if protections like DNSSEC are not used.

5. DNS Attacks and Security Weaknesses

DNS was designed for speed and simplicity, not security. Because of this, attackers often target DNS to redirect users, steal data, or hide malicious traffic. Understanding these weaknesses is essential for cybersecurity work.

Most common DNS attacks:
DNS Cache Poisoning
The attacker injects a fake DNS response into a resolver’s cache. This causes users to be redirected to a malicious site until the cache expires.

DNS Spoofing
The attacker forges a DNS reply faster than the real server. Your device receives a fake IP and connects to the wrong server.

DNS Hijacking
The attacker gains control of DNS records, nameservers, or the domain registrar. This gives full control over the domain’s traffic.

Rogue DNS Servers
The attacker tricks users into using a fake DNS resolver (through Wi-Fi, malware, or router hacks). All DNS queries are intercepted and modified.

DNS Tunneling
Attackers hide data inside DNS queries to bypass firewalls and exfiltrate information. Often used by malware or covert channels.

Domain Shadowing
Attackers compromise a real domain’s DNS account and quietly create hidden subdomains for phishing or malware.

NXDOMAIN Attacks
Attackers flood DNS servers with queries for non-existent domains. This slows or crashes the DNS infrastructure.

DNS Amplification (DDoS)
Attackers use DNS servers to create massive traffic and overwhelm a victim. Small DNS request turns into a very large response, magnifying the attack.

6. How Routing Works on the Internet

Routing is the process of moving data from one network to another until it reaches the correct destination. Every device connected to the internet uses routers to decide the best path for each packet.

Your device does not send data directly to the final server. It sends data to your router, and that router forwards it to another router, and so on, until the packet reaches the destination network.

Routers build and maintain routing tables to decide these paths. These tables contain networks, next hops, and metrics to determine the most efficient route. As the packet travels, each router examines the destination IP and chooses the next hop.

Routing works at Layer 3 (the Network layer). This is where IP addresses and network prefixes matter. No matter how complex the internet is, routing always follows this pattern: look at the destination IP, match it to the best route, forward the packet.

7. IP Addressing, Subnets & CIDR (Security View)

IP addressing, subnetting and CIDR decide how networks are divided, who can talk to whom, and where traffic is allowed to go. From a cybersecurity perspective, these concepts are not just networking basics. They directly affect attack surface, network isolation, access control and traffic visibility.

IP Addressing
Every device gets an IP address so it can send and receive data.
If an attacker knows the IP range of a network, they know what to scan and target. Public IPs are visible on the internet, private IPs stay inside internal networks.

Subnets
A subnet divides a large network into smaller segments.
This is one of the most powerful security tools. Subnets isolate systems so attackers cannot move freely inside the network. A flat network means one compromise can spread everywhere.

CIDR
CIDR notation (for example, 192.168.1.0/24) defines how many IPs a network contains. Smaller CIDR ranges limit exposure. Larger ranges expose more hosts. Good CIDR planning reduces unnecessary access between systems and makes intrusion detection easier.

Security importance

  • Subnet boundaries limit lateral movement.
  • Sensitive systems should live in restricted subnets.
  • Firewalls use CIDR blocks to permit or deny access.
  • Attackers scan entire subnets to find weak devices.
  • Wrong subnetting exposes internal services to outsiders.
  • Poor segmentation allows ransomware to spread quickly.

IP ranges tell you what exists. Subnets separate what should be isolated. CIDR defines how large or small each segment is.

8. How Routers Forward Packets (Routing Tables & Decisions)

A router does not understand websites or applications. It only cares about the destination IP address. When a packet arrives, the router looks at the IP, finds the closest matching network in its routing table, and forwards the packet to the next hop.

Routing tables contain entries such as:
Network prefix, next hop router, interface to use, and a metric that tells which path is better. Routes can be learned dynamically from other routers or configured manually.

Routers never modify the actual content of the packet. They only adjust the Layer 2 headers as the packet moves across different networks. This enables the packet to hop from one network to another until it reaches its destination.

9. BGP: The Protocol That Runs the Internet

BGP (Border Gateway Protocol) is the system that decides how traffic moves between different networks across the entire internet. Every internet service provider, cloud provider, and large organization uses BGP to announce which IP ranges they own and how to reach them.

BGP is basically the "global routing protocol." Routers inside a single company use internal routing, but once traffic goes outside your network, BGP tells the internet where to send it next. It connects thousands of independent networks into one global internet.

BGP works through announcements. A network tells the world: “These IP ranges belong to me. Send traffic here through this path.” Other networks learn these routes and build a massive worldwide routing map.

The problem is that BGP trusts everyone by default. There is no authentication built into the original design. If a network announces routes it does not own, others may accept it. This causes major issues.

Incorrect or malicious BGP announcements can:

  • Redirect traffic to the wrong place.
  • Cause outages by blackholing routes.
  • Enable large-scale man-in-the-middle attacks.
  • Make parts of the internet disappear temporarily.
  • Slow down or break routing paths.

10. Routing Attacks and Traffic Hijacking

Routing attacks target the systems that move data across networks. If an attacker can influence routing, they can intercept traffic, reroute it, or make parts of the network unreachable. These attacks do not target applications or servers directly. They target the path that packets take.

BGP Hijacking
A network announces IP ranges it does not own. Other networks accept this announcement and start sending traffic to the wrong place. The attacker can intercept, drop, or inspect the traffic. This is one of the most dangerous routing attacks on the internet.

BGP Route Leaks
A network accidentally announces internal routes to the public internet. This causes traffic to take inefficient or completely broken paths. It can disrupt global routing even if it is not intentional.

Man-in-the-Middle via Routing
If an attacker controls a router or influences routing tables, they can quietly pass traffic through their network. The user sees nothing suspicious, but all packets flow through the attacker.

Blackholing Traffic
A malicious or misconfigured route sends traffic into a place where it gets dropped. This makes a service or region unreachable.

ICMP Redirect Attacks
Routers use ICMP to suggest better paths. Attackers send fake ICMP redirects to trick devices into sending traffic to them instead of the real router.

Route Manipulation Inside Local Networks
Incorrect static routes or compromised routers inside a company network can redirect internal traffic to rogue devices.

11. Putting It Together: How Data Travels Across the Internet

Here is the full journey in simple terms.

Your browser wants to reach a domain.
It asks DNS to translate the name into an IP address.
DNS resolvers contact root, TLD and authoritative servers to get the correct IP.
Your device caches the answer and begins sending packets toward that IP.

Your packet goes to your router.
Your router checks its routing table and sends the packet to the next hop.
Each router along the way does the same: look at the IP, choose a path, forward it.

Inside your local network, switching happens at Layer 2.
Once the packet leaves your network, Layer 3 routing takes over.
Across the internet, BGP decides which networks your packet must pass through.

Eventually the packet reaches the destination server’s network.
Local routers deliver it to the correct server.
The server processes the request and sends a response back through the same chain.

Every step in this journey is an attack surface.

  • DNS can be poisoned.
  • Routers can be misconfigured or hijacked.
  • BGP can redirect traffic.
  • Local networks can be spoofed.
  • Firewalls can block or allow incorrectly.

12. Summary and What Comes Next (Part 3 Preview)

In this part, you learned how the internet actually works beneath the surface: how DNS resolves names into IP addresses, how **routing **directs packets across networks, how **BGP **keeps the global internet connected, and how attackers can abuse these systems through poisoning, hijacking, and manipulation. Understanding DNS and routing is essential for every cybersecurity professional because attacks often begin by targeting these foundational layers.

In Part 3, we move from “how traffic travels” to how traffic is secured, filtered, and controlled. We’ll explore firewalls, VPNs, proxies, tunneling, split tunneling, and modern Zero Trust Network Access. These topics form the defensive perimeter of nearly every organization and are crucial for understanding secure access and network hardening.

Next: Networking for Cybersecurity (Part 3): Firewalls, VPNs & Proxies

Top comments (0)