DNSSEC Complete Guide: How to Secure Your DNS Against Spoofing & Cache Poisoning

What is DNSSEC?

DNSSEC (DNS Security Extensions) is a suite of extensions to DNS that add cryptographic signatures to DNS records.

When a DNS resolver receives a response, it can verify that the data actually came from the authoritative name server and wasn't tampered with in transit.

DNSSEC does not encrypt data—it authenticates it.

What DNSSEC Protects Against:

• DNS cache poisoning (Kaminsky attack)
• Man-in-the-middle attacks on DNS responses
• Spoofed DNS responses
• Zone enumeration (when using NSEC3)

DNS Attack Vectors: The Problems DNSSEC Solves

1. DNS Cache Poisoning (Kaminsky Attack)

In 2008, security researcher Dan Kaminsky discovered a flaw allowing attackers to poison DNS caches with fake records. This attack could redirect all traffic from a legitimate website to a malicious one.

2. Man-in-the-Middle Attacks

Without DNSSEC, an attacker on your network (like public WiFi) can intercept DNS responses and send fake IP addresses.

3. Phishing Attacks

Attackers can spoof your bank's DNS records and redirect you to a fake login page that looks identical to the real one.

How DNSSEC Works: Cryptographic Signatures

DNSSEC adds digital signatures to DNS records using public-key cryptography. Here's the process:

1. Zone Signing: The domain owner generates a key pair (ZSK - Zone Signing Key)
2. Signing Records: Each DNS record set is signed with the private key, creating RRSIG records
3. Publishing Keys: The public key is published as a DNSKEY record
4. Verification: Resolvers use the public key to verify signatures

# Without DNSSEC (Vulnerable)
Query: What is the IP of example.com?
Response: 93.184.216.34 (No way to verify it's correct)

# With DNSSEC (Secure)
Query: What is the IP of example.com?
Response: 93.184.216.34 + RRSIG signature
Resolver: Is this signature valid? ✓ Yes, data is authentic

DNSSEC Record Types: RRSIG, DNSKEY, DS, NSEC, NSEC3

RRSIG (Resource Record Signature)

Contains the cryptographic signature of a DNS record set. Each signed record set has a corresponding RRSIG record.

example.com.    RRSIG   A 5 3 3600 20250101000000 20241201000000 12345 example.com. [signature]

DNSKEY (DNS Public Key)

Contains the public key used to verify RRSIG records. There are two types: ZSK (Zone Signing Key) and KSK (Key Signing Key).

example.com.    DNSKEY  256 3 5 [public key for ZSK]
example.com.    DNSKEY  257 3 5 [public key for KSK]

DS (Delegation Signer)

Published in the parent zone (e.g., .com for example.com). It contains a hash of the child zone's KSK, creating the chain of trust.

NSEC/NSEC3 (Next Secure)

Proves that a domain name does NOT exist. NSEC3 uses hashed names to prevent zone enumeration.

Chain of Trust: From Root Zone to Your Domain

The DNSSEC chain of trust starts at the DNS root zone (.), which is cryptographically signed. The root's public key is pre-configured in all DNSSEC-validating resolvers.

Step-by-step validation:

1. Resolver has root's public key (trust anchor)
2. Root provides .com's DS record (signed by root)
3. Resolver validates .com's DS using root key
4. Resolver gets .com DNSKEY and validates using DS
5. .com provides example.com's DS record
6. Resolver validates example.com DS
7. Resolver gets example.com DNSKEY and validates
8. Resolver validates final DNS records (A, MX, etc.)

This creates an unbroken chain of cryptographic trust from the root to your domain.

How to Enable DNSSEC on Popular Providers

Cloudflare (Easiest - One Click)

1. Go to your domain in Cloudflare dashboard
2. Navigate to DNS → Settings
3. Enable DNSSEC
4. Copy the DS record details
5. Go to your domain registrar and add the DS record

AWS Route 53

# Create key signing key
aws route53 create-key-signing-key --hosted-zone-id Z123456 --caller-reference unique-id

# Enable DNSSEC signing
aws route53 enable-hosted-zone-dnssec --hosted-zone-id Z123456

Google Cloud DNS

gcloud dns managed-zones update example-com --dnssec-state on

Domain Registrar (GoDaddy, Namecheap, Google Domains)

1. Find the DNSSEC settings in your domain management
2. Add the DS record provided by your DNS host
3. Wait 24-48 hours for parent zone propagation

DNSSEC Key Rollover: ZSK and KSK

DNSSEC keys must be rotated periodically for security. There are two types of keys with different rotation schedules.

ZSK (Zone Signing Key)

• Purpose: Signs all records in the zone
• Rotation frequency: Every 30-90 days
• Can be automated: Yes, using tools like OpenDNSSEC
• Impact of change: Only requires re-signing the zone

KSK (Key Signing Key)

• Purpose: Signs the DNSKEY record for ZSK
• Rotation frequency: Every 1-5 years
• Requires registrar update: Yes, DS record must be updated
• Impact of change: Must update parent zone (more complex)

# Roll ZSK using ldns-signzone
ldns-keygen -a ECDSAP256SHA256 -k example.com
ldns-signzone -e +20260101 -o example.com example.com.zone new_key.key

Testing DNSSEC Validation from Command Line

Using dig (Linux/Mac)

# Check DNSSEC validation (look for 'ad' flag)
dig +dnssec example.com

# Check the signature chain
dig +dnssec example.com DNSKEY

# Verify signature
dig +dnssec example.com A +multiline

# Check DS record at parent zone
dig +dnssec example.com DS @a.gtld-servers.net

Using delv (BIND's validation tool)

delv @8.8.8.8 example.com A

Online Testing Tools

• DNSViz: https://dnsviz.net/ (visual chain of trust)
• Verisign DNSSEC Debugger: https://dnssec-debugger.verisignlabs.com/
• ICANN DNSSEC Tools: https://dnssec.icann.org/

Common DNSSEC Issues and Troubleshooting

Quick Diagnostic Commands:

# Check if domain is DNSSEC-enabled
dig +dnssec example.com DNSKEY

DNSSEC vs DoH vs DoT: Understanding the Differences