DNS Security and DNSSEC
DNS was designed in an era of trust, with no built-in authentication or encryption. This makes it vulnerable to a range of attacks that can redirect users to malicious sites, intercept email, or disrupt services. This guide covers the major DNS threats and the technologies developed to counter them.
Table of Contents
1. DNS Cache Poisoning
DNS cache poisoning (also called DNS spoofing) occurs when an attacker injects forged DNS responses into a resolver's cache. Subsequent queries for the affected domain return the attacker's IP address, redirecting victims to malicious servers.
How it works:
- The attacker sends a query for a domain (e.g.,
bank.example.com) to a recursive resolver. - Before the legitimate response arrives, the attacker floods the resolver with forged responses containing a malicious IP address.
- If a forged response matches the transaction ID and arrives first, the resolver caches it.
- All subsequent queries for
bank.example.comreturn the attacker's IP until the cache entry expires.
Impact: Users can be directed to phishing sites that mimic legitimate services, steal credentials, or deliver malware. Email can be redirected to attacker-controlled servers.
Mitigations:
- Use DNSSEC to validate response authenticity.
- Use randomized source ports and transaction IDs (standard in modern resolvers).
- Use encrypted DNS (DoH or DoT) to prevent on-path tampering.
- Run a local validating resolver instead of relying on third-party resolvers.
2. DNS Hijacking
DNS hijacking is any attack that modifies DNS settings to redirect queries. Unlike cache poisoning, hijacking typically involves persistent changes at the resolver, router, or registrar level.
Types of DNS hijacking:
- Router hijacking: Attackers exploit default credentials on home routers to change DNS settings for all connected devices.
- Man-in-the-middle (MitM): Attackers on the same network intercept and modify DNS queries in transit (ARP spoofing, rogue DHCP).
- Registrar hijacking: Attackers gain access to domain registrar accounts and change NS records to point to malicious servers.
- ISP-level hijacking: Some ISPs redirect NXDOMAIN responses to their own ad-serving or tracking pages.
Real-world example: In 2019, attackers hijacked DNS records for a cryptocurrency platform by compromising the registrar, redirecting users to a phishing site that captured login credentials and stole funds.
Mitigations:
- Enable two-factor authentication on registrar accounts.
- Use registrar lock (clientTransferProhibit) to prevent unauthorized changes.
- Use DNSSEC to detect unauthorized record modifications.
- Monitor DNS records for unexpected changes.
3. DNS Rebinding
DNS rebinding is an attack that bypasses the same-origin policy by tricking a browser into making requests to internal (private) IP addresses. The attacker controls a DNS server that alternates between a public IP and a private IP.
How it works:
- A user visits
evil.example.com, which resolves to the attacker's server (public IP) with a very short TTL. - The page loads JavaScript that makes requests to
evil.example.com. - The DNS server responds with
192.168.1.1(the victim's router) for subsequent queries. - The browser, still using the same origin, sends requests to the internal device.
Impact: Attackers can access internal services (routers, IoT devices, admin panels) that are not exposed to the internet.
Mitigations:
- Use DNS rebinding protection in resolvers (block responses containing private IP ranges).
- Require
Hostheader validation on internal services. - Use authentication on all internal admin interfaces.
- Deploy network segmentation to limit lateral movement.
4. DNSSEC Explained
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses are authentic and have not been tampered with.
How it works:
- Each DNS zone has a ZSK (Zone Signing Key) that signs all records in the zone.
- A KSK (Key Signing Key) signs the ZSK, providing an additional layer of security.
- Resolvers validate signatures by following a chain of trust from the root zone down to the target zone.
- The root zone's KSK is managed by ICANN and is the anchor of trust for the entire system.
Chain of trust example:
Root (.) → .com (DS record) → example.com (DS record) → sub.example.com
Each parent zone publishes a DS (Delegation Signer) record containing a hash of the child zone's KSK. A validating resolver checks each link in the chain.
Key properties:
- Data origin authentication: Proves records came from the authoritative zone.
- Data integrity: Proves records have not been modified in transit.
- Does NOT provide confidentiality: DNSSEC does not encrypt queries or responses.
Limitations: DNSSEC increases DNS response size, adds operational complexity (key management, key rollovers), and does not protect against all attacks (e.g., DDoS, domain seizure at the registrar).
5. DNS over HTTPS (DoH)
DNS over HTTPS encrypts DNS queries by sending them over HTTPS (typically port 443) to a DoH-compliant resolver. This prevents eavesdropping and manipulation by network intermediaries.
How it works:
GET /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
Accept: application/dns-message
DNS queries are encoded in a standard HTTPS request. The response is a binary DNS message returned in the HTTP response body.
Advantages:
- Queries are encrypted, preventing ISP and network-level surveillance.
- Uses port 443, blending with normal HTTPS traffic (harder to block).
- Supported by major browsers (Firefox, Chrome, Edge) and operating systems.
Disadvantages:
- Centralizes DNS queries to a few large providers (privacy concern).
- Can bypass enterprise DNS policies and security filtering.
- Slightly higher latency due to HTTPS overhead.
6. DNS over TLS (DoT)
DNS over TLS encrypts DNS queries using TLS on a dedicated port (853). Like DoH, it prevents eavesdropping and tampering, but uses a simpler protocol.
Comparison with DoH:
- DoT uses port 853; DoH uses port 443.
- DoT is easier for firewalls to identify and block.
- DoH is more censorship-resistant because it blends with web traffic.
- DoT has slightly less overhead (no HTTP layer).
When to use: DoT is preferred in enterprise environments where you want to ensure DNS traffic is encrypted but still distinguishable from web traffic for policy enforcement. DoH is preferred for personal privacy and censorship resistance.
7. DNS Filtering
DNS filtering blocks access to malicious or unwanted domains by returning modified DNS responses. It is widely used for security, parental controls, and corporate compliance.
How it works:
- A client queries a domain (e.g.,
malware.example.com). - The DNS resolver checks the domain against a blocklist.
- If blocked, the resolver returns
0.0.0.0,::, or a sinkhole IP address. - If allowed, the resolver returns the legitimate IP address.
Popular DNS filtering services:
| Service | Primary IP | Focus |
|---|---|---|
| Cloudflare Gateway | 1.1.1.2 | Malware blocking |
| Quad9 | 9.9.9.9 | Threat intelligence |
| OpenDNS | 208.67.222.222 | Content filtering |
| NextDNS | Custom | Customizable filtering |
8. Security Technology Comparison
| Technology | Encrypts Traffic | Authenticates Data | Prevents Poisoning | Port | Standard |
|---|---|---|---|---|---|
| Plain DNS | No | No | No | 53 | RFC 1035 |
| DNSSEC | No | Yes | Yes | 53 | RFC 4033 |
| DoT | Yes | Via TLS | Yes | 853 | RFC 7858 |
| DoH | Yes | Via TLS | Yes | 443 | RFC 8484 |
| DNSCrypt | Yes | Yes | Yes | 443 | Community |
Best practice: Combine DNSSEC (for data authenticity) with DoH or DoT (for transport encryption) and DNS filtering (for threat protection) for comprehensive DNS security.