Overview attacks on DNS¶

Attack tree (DNS)¶

This attack tree outlines the methodologies for compromising DNS integrity, from classic cache poisoning and sophisticated DDoS amplification to AI-augmented phishing automation and the looming threat of cryptographic harvesting in the post-quantum era.

1. Exploit Protocol Weaknesses [OR]

    1.1 Cache Poisoning [AND]
    
        1.1.1 Exploit weak TXID entropy in DoH/DoT/DoQ resolvers [OR]
            1.1.1.1 Birthday attack on 16-bit TXID space
            1.1.1.2 Timing attacks on resolver response handling
            1.1.1.3 Fragment-based poisoning attacks
            
        1.1.2 Side-channel attacks on encrypted DNS [OR]
            1.1.2.1 TLS padding oracle attacks on DoT
            1.1.2.2 QUIC protocol timing analysis on DoQ
            1.1.2.3 HTTP/2 stream correlation attacks on DoH
            
        1.1.3 DNSSEC Exploitation [OR]
            1.1.3.1 NSEC/NSEC3 walking for zone enumeration
            1.1.3.2 RRSIG timing attacks for key recovery
            1.1.3.3 Algorithm downgrade attacks (ECDSA to RSA)
            
        Prerequisite: AND (Attacker can intercept traffic AND resolver lacks full DNSSEC validation)

    1.2 DDoS Amplification [OR]
    
        1.2.1 Abuse misconfigured encrypted DNS resolvers [OR]
            1.2.1.1 DoQ reflection with large TXT records
            1.2.1.2 DoH POST request amplification
            1.2.1.3 DoT session resumption attacks
            
        1.2.2 DNSSEC-based amplification [OR]
            1.2.2.1 NSEC3 response amplification
            1.2.2.2 Large RRSIG reflection attacks
            1.2.2.3 DNAME chain exploitation
            
        Prerequisite: AND (Open resolver available AND vulnerable payload size > 1000 bytes)

    1.3 Protocol-Specific Vulnerabilities [OR]
    
        1.3.1 QUIC Protocol Exploitation (DoQ) [OR]
            1.3.1.1 Connection migration hijacking
            1.3.1.2 Stream priority manipulation
            1.3.1.3 QUIC spin bit side-channel
            
        1.3.2 HTTP/2 Exploitation (DoH) [OR]
            1.3.2.1 HPACK header compression attacks
            1.3.2.2 Server push cache poisoning
            1.3.2.3 Stream dependency manipulation
            
        1.3.3 TLS Session Attacks (DoT) [OR]
            1.3.3.1 Session ticket stealing
            1.3.3.2 Pre-shared key exhaustion
            1.3.3.3 Certificate transparency log poisoning

2. Attack Encrypted DNS [OR]

    2.1 Privacy Leaks [OR]
    
        2.1.1 Metadata Correlation [AND]
            2.1.1.1 IP + timestamp correlation across multiple resolvers
            2.1.1.2 Query size and timing analysis
            2.1.1.3 Server name indication (SNI) monitoring
            
        2.1.2 ML-based fingerprinting [OR]
            2.1.2.1 Neural network traffic analysis
            2.1.2.2 Query pattern recognition
            2.1.2.3 Encrypted traffic classification
            
        2.1.3 Protocol Identification [OR]
            2.1.3.1 DoH/DoT/DoQ protocol fingerprinting
            2.1.3.2 Application-level protocol detection
            2.1.3.3 Middlebox cooperation for traffic analysis

    2.2 Downgrade Attacks [AND]
    
        2.2.1 Force fallback to plaintext DNS [OR]
            2.2.1.1 TCP RST injection on port 853 (DoT)
            2.2.1.2 HTTP/2 GOAWAY frame injection (DoH)
            2.2.1.3 QUIC connection close spoofing (DoQ)
            
        2.2.2 Encryption Bypass [OR]
            2.2.2.1 Disable ECH (Encrypted Client Hello) in DoH
            2.2.2.2 TLS version downgrade attacks
            2.2.2.3 QUIC version negotiation manipulation
            
        2.2.3 Middlebox Interference [OR]
            2.2.3.1 ISP-level protocol blocking
            2.2.3.2 Enterprise firewall policy enforcement
            2.2.3.3 Government-mandated protocol filtering

    2.3 Certificate Attacks [OR]
    
        2.3.1 CA Compromise [OR]
            2.3.1.1 Rogue certificate issuance
            2.3.1.2 Intermediate CA exploitation
            2.3.1.3 Certificate transparency log poisoning
            
        2.3.2 Client Validation Bypass [OR]
            2.3.2.1 Self-signed certificate acceptance
            2.3.2.2 Certificate pinning bypass
            2.3.2.3 Trust store manipulation

3. Cloud/SaaS Exploits [OR]

    3.1 Kubernetes DNS Compromise [AND]
    
        3.1.1 CoreDNS/Etdncache Poisoning [OR]
            3.1.1.1 API server compromise
            3.1.1.2 ConfigMap manipulation
            3.1.1.3 Plugin vulnerability exploitation
            
        3.1.2 NetworkPolicy Bypass [OR]
            3.1.2.1 Privileged pod escape
            3.1.2.2 Node-level network access
            3.1.2.3 Cross-namespace traffic interception
            
        3.1.3 Service Mesh Exploitation [OR]
            3.1.3.1 Istio/Linkerd DNS redirection
            3.1.3.2 mTLS certificate theft
            3.1.3.3 Sidecar proxy manipulation

    3.2 Serverless Abuse [OR]
    
        3.2.1 DNS Tunneling [OR]
            3.2.1.1 Lambda TXT record exfiltration
            3.2.1.2 Cloud Functions DNS over HTTPS
            3.2.1.3 Azure Functions private resolver abuse
            
        3.2.2 Resource Exhaustion [OR]
            3.2.2.1 DNS query burst attacks
            3.2.2.2 Recursion depth exploitation
            3.2.2.3 Cache saturation attacks
            
        3.2.3 Cloud Integration Attacks [OR]
            3.2.3.1 AWS Route 53 resolver hijacking
            3.2.3.2 Google Cloud DNS API abuse
            3.2.3.3 Azure Private DNS zone poisoning

    3.3 Container Registry Attacks [OR]
    
        3.3.1 Image Pull Manipulation [OR]
            3.3.1.1 DNS spoofing for registry redirection
            3.3.1.2 MITM attacks on image downloads
            3.3.1.3 Cache poisoning for malicious images
            
        3.3.2 Supply Chain Compromise [OR]
            3.3.2.1 Malicious library injection via DNS
            3.3.2.2 Dependency confusion attacks
            3.3.2.3 Package manager DNS hijacking

4. Supply Chain Attacks [OR]

    4.1 Registrar Hijacking [AND]
    
        4.1.1 API Key Compromise [OR]
            4.1.1.1 Cloudflare token theft
            4.1.1.2 AWS Route 53 key leakage
            4.1.1.3 Google Domains API abuse
            
        4.1.2 Social Engineering [OR]
            4.1.2.1 Registrar support impersonation
            4.1.2.2 Post-GDPR WHOIS information gaps
            4.1.2.3 Phone number porting attacks
            
        4.1.3 Registry System Attacks [OR]
            4.1.3.1 EPP protocol exploitation
            4.1.3.2 Registry lock bypass
            4.1.3.3 Transfer process manipulation

    4.2 Subdomain Takeover [AND]
    
        4.2.1 Dangling Resource Identification [OR]
            4.2.1.1 CNAME mapping to unused cloud resources
            4.2.1.2 NS record pointing to decommissioned servers
            4.2.1.3 MX record targeting disabled services
            
        4.2.2 Malicious Content Deployment [OR]
            4.2.2.1 GitHub Pages site cloning
            4.2.2.2 S3 bucket takeover
            4.2.2.3 Azure Blob Storage hijacking
            
        4.2.3 Persistence Mechanisms [OR]
            4.2.3.1 SSL certificate procurement
            4.2.3.2 DNS record obfuscation
            4.2.3.3 Monitoring evasion techniques

    4.3 CDN Compromise [OR]
    
        4.3.1 DNS-Based CDN Manipulation [OR]
            4.3.1.1 Edge server cache poisoning
            4.3.1.2 Origin DNS spoofing
            4.3.1.3 GeoDNS manipulation
            
        4.3.2 Certificate Manipulation [OR]
            4.3.2.1 SAN certificate abuse
            4.3.2.2 CDN SSL termination bypass
            4.3.2.3 Multi-CDN configuration conflicts

5. AI/ML-Augmented Attacks [OR]

    5.1 Evasion Techniques [AND]
    
        5.1.1 Reputation System Poisoning [OR]
            5.1.1.1 DNS query pattern manipulation
            5.1.1.2 Behavioral model contamination
            5.1.1.3 Feedback loop exploitation
            
        5.1.2 Query Obfuscation [OR]
            5.1.2.1 GAN-generated benign-looking queries
            5.1.2.2 CDN traffic mimicry
            5.1.2.3 Legitimate domain spoofing
            
        5.1.3 Adaptive Attacks [OR]
            5.1.3.1 Reinforcement learning for evasion
            5.1.3.2 Genetic algorithm optimization
            5.1.3.3 Transfer learning across networks

    5.2 Phishing Automation [AND]
    
        5.2.1 Domain Generation [OR]
            5.2.1.1 LLM-generated homograph domains
            5.2.1.2 Context-aware typosquatting
            5.2.1.3 Cultural adaptation algorithms
            
        5.2.2 Infrastructure Management [OR]
            5.2.2.1 Dynamic DNS fast-flux networks
            5.2.2.2 Automated certificate procurement
            5.2.2.3 Multi-CDN abuse for resilience
            
        5.2.3 Target Identification [OR]
            5.2.3.1 NLP-based brand monitoring
            5.2.3.2 Social media sentiment analysis
            5.2.3.3 Employee behavior prediction

6. Post-Quantum Threats [OR]

    6.1 Cryptographic Harvesting [AND]
    
        6.1.1 DNSSEC Record Collection [OR]
            6.1.1.1 ECDSA-P256 signature harvesting
            6.1.1.2 RSA-2048 key storage
            6.1.1.3 NSEC3 chain enumeration
            
        6.1.2 Quantum Decryption Preparation [OR]
            6.1.2.1 Long-term encrypted data storage
            6.1.2.2 Future decryption capability planning
            6.1.2.3 Harvest-then-decrypt campaigns
            
        6.1.3 Transition Period Exploitation [OR]
            6.1.3.1 Algorithm confusion attacks
            6.1.3.2 Hybrid scheme weaknesses
            6.1.3.3 Backward compatibility exploitation

    6.2 Quantum Key Distribution Attacks [OR]
    
        6.2.1 QKD Protocol Exploitation [OR]
            6.2.1.1 Photon-splitting attacks
            6.2.1.2 Fake state attacks
            6.2.1.3 Trojans in QKD hardware
            
        6.2.2 Implementation Vulnerabilities [OR]
            6.2.2.1 Side-channel attacks on QKD systems
            6.2.2.2 Laser intensity manipulation
            6.2.2.3 Detector blinding attacks
            
        6.2.3 Integration Attacks [OR]
            6.2.3.1 Classical-quantum interface exploitation
            6.2.3.2 Key management system compromise
            6.2.3.3 Quantum network routing attacks

7. Data Exfiltration Techniques [OR]

    7.1 DNS Tunneling [AND]
    
        7.1.1 Protocol Selection [OR]
            7.1.1.1 Traditional DNS (TXT, NULL records)
            7.1.1.2 DoH/DoT/DoQ encrypted tunneling
            7.1.1.3 ICMP-based DNS manipulation
            
        7.1.2 Evasion Methods [OR]
            7.1.2.1 Query rate limiting bypass
            7.1.2.2 Legitimate traffic blending
            7.1.2.3 Multiple resolver rotation
            
        7.1.3 Data Encoding [OR]
            7.1.3.1 Base32/64 encoding variations
            7.1.3.2 Compression with error correction
            7.1.3.3 Fragmentation and reassembly

    7.2 Covert Channels [OR]
    
        7.2.1 Timing-Based Exfiltration [OR]
            7.2.1.1 Query response timing modulation
            7.2.1.2 DNS refresh interval exploitation
            7.2.1.3 TTL value manipulation
            
        7.2.2 Storage Channels [OR]
            7.2.2.1 DNS cache poisoning with data
            7.2.2.2 NSEC3 gap exploitation
            7.2.2.3 DNSSEC signature embedding
            
        7.2.3 Behavioral Patterns [OR]
            7.2.3.1 Query sequence encoding
            7.2.3.2 Resolver selection patterns
            7.2.3.3 Domain name generation algorithms

    7.3 Exfiltration Infrastructure [OR]
    
        7.3.1 Command and Control [OR]
            7.3.1.1 Dynamic domain generation
            7.3.1.2 DNS-based payload delivery
            7.3.1.3 Dead drop resolvers
            
        7.3.2 Data Processing [OR]
            7.3.2.1 Distributed exfiltration aggregation
            7.3.2.2 On-the-fly decoding services
            7.3.2.3 Cloud function data processing
            
        7.3.3 Persistence Mechanisms [OR]
            7.3.3.1 Multiple exfiltration pathways
            7.3.3.2 Fallback communication channels
            7.3.3.3 Anti-forensic techniques

Attack tree risk assessment table¶

Attack Path ID	Attack Path Description	Technical Challenge	Resources Required	Overall Risk (T+R)
1. Exploit Protocol Weaknesses
1.1.1.1	Birthday attack on 16-bit TXID space	Low	Low (Scripts, network access)	Low
1.1.1.2	Timing attacks on resolver response handling	Medium	Medium (Precise tools, stable connection)	Medium
1.1.1.3	Fragment-based poisoning attacks	High	Medium (Specialized tools)	High
1.1.2.1	TLS padding oracle attacks on DoT	High	Medium (Cryptographic knowledge)	High
1.1.2.2	QUIC protocol timing analysis on DoQ	High	High (Specialized QUIC tools)	High
1.1.2.3	HTTP/2 stream correlation attacks on DoH	Medium	Medium (Traffic analysis tools)	Medium
1.1.3.1	NSEC/NSEC3 walking for zone enumeration	Low	Low (Scripts like `nsec3walker`)	Low
1.1.3.2	RRSIG timing attacks for key recovery	Very High	High (Cryptographic expertise)	Very High
1.1.3.3	Algorithm downgrade attacks	Medium	Low (Packet crafting tools)	Medium
1.2.1.1	DoQ reflection with large TXT records	Low	Medium (List of open resolvers)	Medium
1.2.1.2	DoH POST request amplification	Low	Medium (List of open DoH resolvers)	Medium
1.2.1.3	DoT session resumption attacks	Medium	Medium (Traffic generation capacity)	Medium
1.2.2.1	NSEC3 response amplification	Low	Low (Scripts, open resolvers)	Low
1.2.2.2	Large RRSIG reflection attacks	Low	Low (Scripts, open resolvers)	Low
1.2.2.3	DNAME chain exploitation	Medium	Low (Specific DNS knowledge)	Medium
1.3.1.1	QUIC connection migration hijacking	High	High (QUIC stack access)	High
1.3.1.2	QUIC stream priority manipulation	Medium	Medium (QUIC knowledge)	Medium
1.3.1.3	QUIC spin bit side-channel	High	High (Traffic analysis expertise)	High
1.3.2.1	HTTP/2 HPACK compression attacks	High	High (HTTP/2 implementation knowledge)	High
1.3.2.2	HTTP/2 server push cache poisoning	Medium	Medium (Man-in-the-middle position)	Medium
1.3.2.3	HTTP/2 stream dependency manipulation	High	High (HTTP/2 expertise)	High
1.3.3.1	TLS session ticket stealing	Medium	Medium (MitM position)	Medium
1.3.3.2	Pre-shared key exhaustion	Low	Low (Scripts to spam connections)	Low
1.3.3.3	CT log poisoning	Very High	Very High (CA compromise required)	Very High
2. Attack Encrypted DNS
2.1.1.1	IP + timestamp correlation	Low	Medium (Access to multiple data sources)	Medium
2.1.1.2	Query size and timing analysis	Medium	Medium (Traffic capture & analysis)	Medium
2.1.1.3	SNI monitoring	Low	Low (Network position)	Low
2.1.2.1	Neural network traffic analysis	Very High	Very High (ML expertise, data, compute)	Very High
2.1.2.2	Query pattern recognition	High	High (ML expertise, data)	High
2.1.2.3	Encrypted traffic classification	High	High (ML expertise, data)	High
2.1.3.1	DoH/DoT/DoQ protocol fingerprinting	Medium	Medium (Traffic analysis tools)	Medium
2.1.3.2	Application-level protocol detection	Medium	Medium (Traffic analysis tools)	Medium
2.1.3.3	Middlebox cooperation	Low	High (Requires privileged ISP/state actor access)	High
2.2.1.1	TCP RST injection on port 853	Low	Low (Network access)	Low
2.2.1.2	HTTP/2 GOAWAY frame injection	Medium	Medium (MitM position)	Medium
2.2.1.3	QUIC connection close spoofing	Medium	Medium (MitM position)	Medium
2.2.2.1	Disable ECH in DoH	Low	Low (Client-side manipulation)	Low
2.2.2.2	TLS version downgrade	Medium	Medium (MitM position, tools)	Medium
2.2.2.3	QUIC version negotiation manipulation	High	Medium (MitM position, QUIC knowledge)	High
2.2.3.1	ISP-level protocol blocking	Low	Very High (Requires ISP-level control)	Very High
2.2.3.2	Enterprise firewall policy enforcement	Low	High (Requires enterprise network control)	High
2.2.3.3	Government-mandated filtering	Low	Extreme (Requires nation-state authority)	Extreme
2.3.1.1	Rogue certificate issuance	Very High	Extreme (Requires CA compromise)	Extreme
2.3.1.2	Intermediate CA exploitation	Very High	Extreme (Requires CA compromise)	Extreme
2.3.1.3	CT log poisoning	Very High	Very High (Extremely difficult)	Very High
2.3.2.1	Self-signed certificate acceptance	Low	Low (Social engineering or malware)	Low
2.3.2.2	Certificate pinning bypass	High	Medium (Reverse engineering skills)	High
2.3.2.3	Trust store manipulation	High	High (OS/admin-level access)	High
3. Cloud/SaaS Exploits
3.1.1.1	API server compromise	High	High (K8s exploit chain)	High
3.1.1.2	ConfigMap manipulation	Medium	High (K8s RBAC bypass)	High
3.1.1.3	Plugin vulnerability exploitation	Medium	Medium (Specific exploit)	Medium
3.1.2.1	Privileged pod escape	High	High (K8s/container expertise)	High
3.1.2.2	Node-level network access	High	High (Pod-to-node escape)	High
3.1.2.3	Cross-namespace traffic interception	Medium	Medium (NetworkPolicy misconfig)	Medium
3.1.3.1	Istio/Linkerd DNS redirection	High	High (Service mesh expertise)	High
3.1.3.2	mTLS certificate theft	High	High (Service mesh expertise)	High
3.1.3.3	Sidecar proxy manipulation	High	High (Service mesh expertise)	High
3.2.1.1	Lambda TXT record exfiltration	Low	Low (Scripting, DNS access)	Low
3.2.1.2	Cloud Functions over DoH	Medium	Low (Scripting, cloud account)	Medium
3.2.1.3	Azure private resolver abuse	Medium	Medium (Azure access, knowledge)	Medium
3.2.2.1	DNS query burst attacks	Low	Low (Scripts, cloud function)	Low
3.2.2.2	Recursion depth exploitation	Medium	Low (Specific payload)	Medium
3.2.2.3	Cache saturation attacks	Low	Medium (Resource budget for queries)	Medium
3.2.3.1	AWS Route 53 resolver hijacking	High	High (AWS account compromise)	High
3.2.3.2	Google Cloud DNS API abuse	High	High (GCP account compromise)	High
3.2.3.3	Azure Private DNS zone poisoning	High	High (Azure account compromise)	High
3.3.1.1	DNS spoofing for registry redirection	Medium	Medium (MitM on network)	Medium
3.3.1.2	MITM on image downloads	Medium	Medium (MitM position)	Medium
3.3.1.3	Cache poisoning for malicious images	High	High (Registry/DNS compromise)	High
3.3.2.1	Malicious library injection via DNS	Medium	Medium (Supply chain access)	Medium
3.3.2.2	Dependency confusion attacks	Low	Medium (Public repo, internal name)	Medium
3.3.2.3	Package manager DNS hijacking	High	High (MitM or DNS compromise)	High
4. Supply Chain Attacks
4.1.1.1	Cloudflare token theft	Medium	Medium (Phishing, malware)	Medium
4.1.1.2	AWS Route 53 key leakage	Medium	Medium (Misconfig, credential leak)	Medium
4.1.1.3	Google Domains API abuse	Medium	Medium (Credential theft)	Medium
4.1.2.1	Registrar support impersonation	Low	Low (Social engineering skills)	Low
4.1.2.2	WHOIS information gaps	Low	Low (OSINT research)	Low
4.1.2.3	Phone number porting attacks	Medium	Medium (SS7 flaws, social engineering)	Medium
4.1.3.1	EPP protocol exploitation	High	High (Registrar-specific knowledge)	High
4.1.3.2	Registry lock bypass	Very High	Extreme (Extremely difficult, often insiders)	Extreme
4.1.3.3	Transfer process manipulation	Medium	Medium (Social engineering, flaws)	Medium
4.2.1.1	CNAME to unused cloud resources	Low	Low (Scanners like `subjack`)	Low
4.2.1.2	NS to decommissioned servers	Low	Low (DNS auditing)	Low
4.2.1.3	MX to disabled services	Low	Low (DNS auditing)	Low
4.2.2.1	GitHub Pages takeover	Low	Low (GitHub account)	Low
4.2.2.2	S3 bucket takeover	Low	Low (AWS account)	Low
4.2.2.3	Azure Blob hijacking	Low	Low (Azure account)	Low
4.2.3.1	SSL certificate procurement	Low	Low (LetsEncrypt, etc.)	Low
4.2.3.2	DNS record obfuscation	Low	Low (Knowledge of DNS)	Low
4.2.3.3	Monitoring evasion	Medium	Low (Timing, low traffic)	Medium
4.3.1.1	Edge server cache poisoning	High	High (CDN-specific knowledge)	High
4.3.1.2	Origin DNS spoofing	Medium	High (Origin compromise/MitM)	High
4.3.1.3	GeoDNS manipulation	High	High (CDN config compromise)	High
4.3.2.1	SAN certificate abuse	Medium	Medium (CDN config access)	Medium
4.3.2.2	CDN SSL termination bypass	High	High (CDN-specific vulnerability)	High
4.3.2.3	Multi-CDN configuration conflicts	High	High (Complex setup knowledge)	High
5. AI/ML-Augmented Attacks
5.1.1.1	DNS query pattern manipulation	High	High (ML/Adversarial AI expertise)	High
5.1.1.2	Behavioral model contamination	Very High	Very High (ML expertise, platform access)	Very High
5.1.1.3	Feedback loop exploitation	High	High (ML expertise, system knowledge)	High
5.1.2.1	GAN-generated queries	Very High	Very High (GAN/ML expertise, compute)	Very High
5.1.2.2	CDN traffic mimicry	High	High (Traffic analysis, ML)	High
5.1.2.3	Legitimate domain spoofing	Medium	Low (Existing tools, slight modification)	Medium
5.1.3.1	RL for evasion	Very High	Extreme (RL/ML expertise, significant compute)	Extreme
5.1.3.2	Genetic algorithm optimization	Very High	Very High (ML expertise, compute)	Very High
5.1.3.3	Transfer learning	Very High	Very High (ML expertise, diverse datasets)	Very High
5.2.1.1	LLM-generated homograph domains	Low	Low (Access to LLM API)	Low
5.2.1.2	Context-aware typosquatting	Medium	Medium (NLP/OSINT skills)	Medium
5.2.1.3	Cultural adaptation algorithms	High	High (NLP, cultural datasets)	High
5.2.2.1	Dynamic DNS fast-flux	Medium	Medium (Botnet, scripts)	Medium
5.2.2.2	Automated certificate procurement	Low	Low (Scripts, ACME API)	Low
5.2.2.3	Multi-CDN abuse	High	High (Resources to use multiple CDNs)	High
5.2.3.1	NLP-based brand monitoring	Medium	Medium (NLP skills, scraping)	Medium
5.2.3.2	Social media sentiment analysis	Medium	Medium (NLP skills, API access)	Medium
5.2.3.3	Employee behavior prediction	Very High	Very High (Advanced ML, internal data)	Very High
6. Post-Quantum Threats
6.1.1.1	ECDSA-P256 signature harvesting	Low	Low (Passive DNS collection)	Low
6.1.1.2	RSA-2048 key storage	Low	Medium (Storage capacity for large keys)	Medium
6.1.1.3	NSEC3 chain enumeration	Low	Low (Scripts)	Low
6.1.2.1	Long-term encrypted data storage	Low	High (Massive storage infrastructure)	High
6.1.2.2	Future decryption capability planning	N/A	Extreme (Nation-state level investment)	Extreme
6.1.2.3	Harvest-then-decrypt campaigns	Low	Extreme (See above)	Extreme
6.1.3.1	Algorithm confusion attacks	High	High (PQ crypto expertise)	High
6.1.3.2	Hybrid scheme weaknesses	High	High (PQ crypto expertise)	High
6.1.3.3	Backward compatibility exploitation	Medium	Medium (Protocol downgrade attacks)	Medium
6.2.1.1	Photon-splitting attacks	Extreme	Extreme (Quantum physics expertise)	Extreme
6.2.1.2	Fake state attacks	Extreme	Extreme (Quantum physics expertise)	Extreme
6.2.1.3	Trojans in QKD hardware	Extreme	Extreme (State-level hardware sabotage)	Extreme
6.2.2.1	Side-channels on QKD systems	Extreme	Extreme (Quantum engineering)	Extreme
6.2.2.2	Laser intensity manipulation	Very High	Extreme (Specialized lab equipment)	Extreme
6.2.2.3	Detector blinding attacks	Very High	Extreme (Specialized lab equipment)	Extreme
6.2.3.1	Classical-quantum interface exploitation	Extreme	Extreme (Unique expertise)	Extreme
6.2.3.2	Key management system compromise	High	High (Traditional infosec + QKD knowledge)	High
6.2.3.3	Quantum network routing attacks	Extreme	Extreme (Quantum networking expertise)	Extreme
7. Data Exfiltration Techniques
7.1.1.1	Traditional DNS tunneling	Low	Low (Off-the-shelf tools)	Low
7.1.1.2	DoH/DoT/DoQ encrypted tunneling	Medium	Low (Modified tools)	Medium
7.1.1.3	ICMP-based DNS manipulation	Medium	Medium (Custom tools, privileges)	Medium
7.1.2.1	Query rate limiting bypass	Medium	Low (Slow channel, patience)	Medium
7.1.2.2	Legitimate traffic blending	High	Medium (Traffic analysis, careful planning)	High
7.1.2.3	Multiple resolver rotation	Low	Low (List of resolvers)	Low
7.1.3.1	Base32/64 encoding	Low	Low (Standard encoding)	Low
7.1.3.2	Compression with error correction	Medium	Medium (Custom client/server)	Medium
7.1.3.3	Fragmentation and reassembly	Medium	Medium (Custom client/server)	Medium
7.2.1.1	Query response timing modulation	High	High (Stable channel, precise control)	High
7.2.1.2	DNS refresh interval exploitation	Medium	Medium (Knowledge of client behavior)	Medium
7.2.1.3	TTL value manipulation	Low	Low (Control of authoritative server)	Low
7.2.2.1	DNS cache poisoning with data	High	High (Cache poisoning expertise)	High
7.2.2.2	NSEC3 gap exploitation	Medium	Medium (DNSSEC knowledge)	Medium
7.2.2.3	DNSSEC signature embedding	Very High	High (Cryptographic expertise)	Very High
7.2.3.1	Query sequence encoding	Medium	Medium (Custom algorithm)	Medium
7.2.3.2	Resolver selection patterns	Low	Low (Client configuration control)	Low
7.2.3.3	Domain name generation algorithms	Low	Low (Standard DGA)	Low
7.3.1.1	Dynamic domain generation	Low	Low (DGA script)	Low
7.3.1.2	DNS-based payload delivery	Low	Low (Authoritative server control)	Low
7.3.1.3	Dead drop resolvers	Medium	Medium (Compromised resolver)	Medium
7.3.2.1	Distributed exfiltration aggregation	High	High (Multiple nodes, coordination)	High
7.3.2.2	On-the-fly decoding services	Medium	Medium (Cloud function/script)	Medium
7.3.2.3	Cloud function data processing	Medium	Medium (Cloud account)	Medium
7.3.3.1	Multiple exfiltration pathways	Medium	Medium (Redundant infrastructure)	Medium
7.3.3.2	Fallback communication channels	Medium	Medium (Additional C2 setup)	Medium
7.3.3.3	Anti-forensic techniques	High	High (Expertise in forensics)	High

Risk Assessment Legend¶

Technical Challenge: The level of expertise, knowledge, and skill required to execute the attack.
Resources Required: The tools, infrastructure, access, and time needed.
Overall Risk (T+R): A combined assessment of how feasible the attack is for a threat actor to carry out. This is not likelihood or impact, but a measure of the barrier to entry. A “Low” overall risk means it’s easy to execute; “Extreme” means it is currently only feasible for the most advanced actors (e.g., nation-states).