The DNS Threat Landscape: Understanding the Risks
DNS is a critical infrastructure component and an attractive target for attackers. Understanding the threats is the first step to protecting your domain.
β οΈ Common DNS Attacks
- DNS Hijacking: Attacker changes DNS records
- DNS Spoofing / Cache Poisoning: Inject fake records
- DNS DDoS: Overwhelm DNS servers
- DNS Tunneling: Exfiltrate data via DNS queries
- NXDOMAIN Attacks: Flood with non-existent queries
π Real-World Impact
- DNS attacks increased by 42% in 2023
- Average cost: $1.1 million per incident
- 83% of organizations experienced a DNS attack
- 74% of companies lack DNS monitoring
DNS Hijacking: Prevention & Detection
DNS hijacking occurs when an attacker gains unauthorized access to your DNS configuration and changes records.
How DNS Hijacking Happens:
- Compromised registrar/DNS provider account credentials
- Social engineering of support staff
- Email interception (weak MX records)
- Insecure API keys exposed in code
Prevention Measures:
- Multi-Factor Authentication (MFA) at EVERY provider
- Registry Lock - Requires manual verification for changes
- Separate Accounts - Different passwords for registrar vs DNS
- Monitor DNS Changes - Real-time alerts for modifications
Detection Script:
#!/bin/bash
EXPECTED_IP="93.184.216.34"
CURRENT_IP=$(dig +short example.com @8.8.8.8)
if [ "$CURRENT_IP" != "$EXPECTED_IP" ]; then
echo "ALERT: DNS hijacking detected!"
fiDNSSEC: Mandatory Cryptographic Signing
DNSSEC cryptographically signs DNS records to prevent spoofing and cache poisoning.
Implementation Priority:
- Critical (Immediate): Banking, E-commerce, Healthcare, Government
- High Priority: Corporate domains, Email servers, SaaS platforms
- Recommended: All domains, regardless of use case
DNSSEC Best Practices:
- Use algorithm 13 (ECDSAP256SHA256) for better performance
- Rotate ZSK every 30-90 days (automate with OpenDNSSEC)
- Rotate KSK every 1-2 years (requires registrar DS update)
- Set signature validity to 30 days with auto-resigning
# Generate DNSSEC keys (algorithm 13 recommended)
ldns-keygen -a ECDSAP256SHA256 -k example.com # KSK
ldns-keygen -a ECDSAP256SHA256 -z example.com # ZSK
# Sign your zone
ldns-signzone -o example.com example.com.zone ZSK.key KSK.keyCAA Records: Controlling SSL Certificate Issuance
CAA records specify which CAs can issue SSL/TLS certificates for your domain.
Mandatory CAA Configuration:
# Basic security - allow only your CAs
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "digicert.com"
# Block wildcard certificates (higher security)
example.com. CAA 0 issuewild ";"
# Enable reporting on violations
example.com. CAA 0 iodef "mailto:security@example.com"Testing CAA Records:
# Check your CAA records
dig example.com CAA +shortRegistry Lock: Domain Change Protection
Registry Lock provides the highest level of domain protection. Any changes require manual verification.
What Registry Lock Protects Against:
- Unauthorized domain transfers
- Unauthorized NS record changes
- Unauthorized registrant contact changes
- Domain deletion attempts
π‘ Pro Tip
β οΈ Important:
Registry Lock adds 48-72 hours for any change. This is intentionalβit's your emergency brake against hijacking.
DNS Filtering: Blocking Malicious Domains
DNS filtering blocks resolution to malicious domains, phishing sites, and command & control servers.
| Service | Free Tier | Blocklist Quality | Reporting |
|---|---|---|---|
| Cloudflare Gateway | No | Excellent | Detailed |
| Cisco Umbrella | No | Excellent | Enterprise |
| Quad9 (9.9.9.9) | Yes | Good | Limited |
| Cloudflare Family (1.1.1.3) | Yes | Malware + Adult | No |
DNS Rate Limiting: DDoS Protection
DNS rate limiting prevents DDoS attacks from overwhelming your authoritative nameservers.
Implementation Options:
- Cloudflare: Automatic rate limiting per IP
- AWS Route 53: Request rate limits, throttling
- Azure DNS: Built-in throttling
BIND Configuration:
options {
rate-limit {
responses-per-second 10;
log-only no;
slip 2;
window 5;
};
};Anycast DNS: High Availability & DDoS Resilience
Anycast DNS announces your DNS server IP addresses from multiple global locations.
Benefits of Anycast DNS:
- Global Performance: Queries go to nearest server
- Built-in DDoS Mitigation: Attack traffic distributes across nodes
- High Availability: Node failures automatically route
Anycast DNS Providers:
- Cloudflare DNS: Free, 300+ cities globally
- AWS Route 53: Anycast on all hosted zones
- Google Cloud DNS: Global anycast network
DNS Monitoring & Alerting
What to Monitor:
- DNS record changes (A, MX, NS, TXT)
- SOA serial number increments
- DNSSEC signature expiration
- Zone transfer failures
- Unusual query patterns
- NXDOMAIN rates
Monitoring Script:
#!/bin/bash
HASH_FILE="/tmp/dns-records-hash"
CURRENT_HASH=$(dig +short example.com A | sort | md5sum)
if [ -f "$HASH_FILE" ]; then
OLD_HASH=$(cat $HASH_FILE)
if [ "$CURRENT_HASH" != "$OLD_HASH" ]; then
echo "DNS records changed!"
fi
fi
echo $CURRENT_HASH > $HASH_FILERegistrar Security: Multi-Factor Authentication
Mandatory Security Measures:
- Multi-Factor Authentication (MFA) - Use authenticator app or hardware key
- Separate, Strong Passwords - Unique to registrar, 20+ characters
- Transfer Lock - Prevent domain transfers without unlock
- Limited Authorized Users - Absolute minimum people with access
Check Domain Status:
whois example.com | grep -E "Registrar|Status|Name Server"
# Look for:
# clientTransferProhibited - GOOD (prevents transfer)
# ok - BAD (domain is unlocked)DNS Encryption: DoH, DoT, DNSCrypt
| Protocol | Port | Key Feature | Best For |
|---|---|---|---|
| DoT (DNS over TLS) | 853 | Standardized, easy firewalling | Corporate networks |
| DoH (DNS over HTTPS) | 443 | Looks like web traffic | Public WiFi, censorship bypass |
| DNSCrypt | 443 | Encryption + authentication | Privacy-focused users |
Enable DoH on Clients:
# Windows 11/10
# Settings β Network & Internet β DNS β Edit
# Preferred DNS encryption: Encrypted only (DoH)
# Linux (systemd-resolved)
# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com
DNSOverTLS=yesDNS Security Audit Checklist
- β DNSSEC enabled and validating
- β DNSSEC signatures not expiring within 30 days
- β CAA records configured and correct
- β Registrar MFA enabled
- β Registry/Registrar lock enabled
- β SPF, DKIM, DMARC records set
- β DMARC policy is reject/quarantine
- β WHOIS info is accurate and private
- β DNS monitoring alerts working
- β NS records have redundancy (β₯2 servers)
- β TTLs optimized
- β DNS query encryption for clients
Automated Security Audit Script:
#!/bin/bash
DOMAIN="example.com"
echo "=== DNS Security Audit for $DOMAIN ==="
# Check DNSSEC
if dig +dnssec $DOMAIN DNSKEY +short | grep -q "DNSKEY"; then
echo "β
DNSSEC enabled"
else
echo "β DNSSEC NOT enabled"
fi
# Check DMARC
DMARC=$(dig _dmarc.$DOMAIN TXT +short)
if echo $DMARC | grep -q "p=reject"; then
echo "β
DMARC reject policy"
else
echo "β οΈ DMARC not set to reject"
fi
echo "=== Audit Complete ==="
