The Domain Name Service (DNS) resolves alphanumeric domain names into numeric IP addresses. This service is provided by a loose collection of servers scattered around the Internet as well as within local Intranets. If, however, the information supplied through this service comes not from an authorized source, but rather, an attacker's system supplying incorrect information or from an authorized source that has been compromised, network traffic could be impeded in a denial of service (DOS) attack or misrouted in a spoofing or man-in-the-middle attack. This could result in sensitive traffic being delivered to untrusted systems or not being delivered at all.
One way that these services could be subverted would be if an attacker set up an “evil twin” WiFi hotspot which impersonates a trusted wireless access point and establishes itself as a man-in-the-middle (MITM), which reroutes network traffic. The MITM can examine and modify all traffic coming into and going out of the rogue network. Another way would be for the attacker to set up a rogue server which hijacks network services by broadcasting to all nodes in the network that it is online and available to process DNS requests. Yet another way would be for an attacker to compromise a trusted DNS server and cause it to produce erroneous results. In many cases, the last server to broadcast will be considered authoritative by other nodes in the network.
One solution for detecting such untrusted or compromised sources of network information is the use of a DNS watcher which performs a “health check” by polling a preconfigured list of trusted DNS servers to verify that they are operational and are returning proper results. There are several drawbacks to this method, however. Polling operations generate additional, superfluous network traffic, and may be discovered by an attacker's reconnaissance of the target network. A polling approach also only verifies whether known DNS servers are performing properly. By virtue of the active nature of polling specific known DNS servers, it is unable to verify the correctness of DNS resolutions returned by hosts other than the known hosts being polled. Since rogue DNS providers would not be known in advance, they would go unchecked by a polling solution.