Which technology helps mitigate DNS spoofing and poisoning attacks?

DNS spoofing and poisoning attacks occur when attackers manipulate the Domain Name System (DNS) responses to redirect users to malicious sites, compromising the integrity of web traffic. The technology that specifically mitigates these attacks is DNSSEC (Domain Name System Security Extensions).

DNSSEC provides a layer of security that authenticates the origin of DNS data and ensures that the data has not been altered in transit. It works by adding digital signatures to DNS records, which clients can verify to confirm that the data they receive is legitimate and has not been tampered with. This ensures the integrity and authenticity of the DNS responses, effectively countering spoofing and poisoning attempts.

Other options may provide security, but they do not specifically address the vulnerabilities associated with DNS communication. For example, a VPN encrypts internet traffic and protects against eavesdropping but does not validate DNS information. A Next-Generation Firewall (NGFW) filters network traffic based on more sophisticated parameters than traditional firewalls but does not inherently verify the authenticity of DNS records. Network Access Control (NAC) secures network access and can help enforce policies, but it does not provide mechanisms for verifying DNS data integrity. Thus, DNSSEC is the specialized technology designed to mitigate DNS-related threats.