DNS Security Guide

DNS Cache Poisoning

DNS cache poisoning (also known as DNS spoofing) occurs when a malicious actor injects corrupt DNS data into a resolver's cache. This causes the resolver to return incorrect IP addresses, redirecting users to malicious websites.

How It Works

1. An attacker sends a DNS resolver a query for a specific domain
2. The attacker floods the resolver with fake responses before the legitimate one arrives
3. If successful, the resolver caches the fake DNS entries
4. Subsequent visitors requesting that domain are directed to the attacker's server

Primary Defenses

• DNSSEC: Validates DNS responses cryptographically to ensure authenticity
• DNS Query ID and Port Randomization: Makes it harder for attackers to guess transaction parameters
• Response Rate Limiting: Restricts how quickly name servers respond to the same request

DNS Amplification Attacks

DNS amplification is a type of Distributed Denial of Service (DDoS) attack where attackers exploit open DNS resolvers to flood a target with a massive volume of DNS response traffic.

How It Works

1. Attackers send small DNS queries with spoofed source IP addresses (the victim's IP)
2. They specially craft these queries to generate large responses (amplification factor)
3. Open DNS resolvers send these large responses to the victim's IP address
4. The victim's network gets overwhelmed with traffic

Primary Defenses

• Recursive DNS Server Configuration: Configure DNS servers to only respond to queries from authorized networks
• Rate Limiting: Implement response rate limiting on DNS servers
• DNSSEC with Caution: While DNSSEC is important, it increases response sizes, potentially increasing amplification
• DNS Traffic Filtering: Use DDoS protection services that can filter abnormal DNS traffic patterns

DNS Tunneling

DNS tunneling exploits the DNS protocol to tunnel malware communications or exfiltrate data through DNS queries and responses, bypassing traditional security controls.

How It Works

1. Attackers encode data within DNS queries to domains they control
2. DNS requests pass through firewalls that typically allow DNS traffic
3. The attacker's authoritative DNS server captures and decodes the data
4. Responses can also contain encoded commands or data

Primary Defenses

• DNS Traffic Analysis: Monitor for unusual DNS traffic patterns, including high volumes of requests, long request strings, and unusual subdomains
• DNS Query Logging: Implement detailed DNS query logging and analysis
• DNS Filtering: Use DNS security services that can detect and block tunneling attempts
• Endpoint Security: Deploy endpoint security solutions to detect and prevent malware that uses DNS tunneling

How DNSSEC Works

DNSSEC works by creating a chain of trust from the DNS root to your domain through digital signatures:

1. Zone Signing: Each DNS record in a zone is cryptographically signed with a Zone Signing Key (ZSK)
2. Key Chain: The ZSK is signed by a Key Signing Key (KSK)
3. Trust Anchor: The KSK's hash is published in the parent zone as a DS (Delegation Signer) record
4. Chain of Trust: DNS resolvers can validate the entire chain from the root zone down to individual records

DNSSEC Record Types

DNSSEC Implementation Process

1. Key Generation: Generate KSK and ZSK key pairs for your domain
2. Zone Signing: Sign your DNS zone file with these keys
3. DS Record Publication: Publish the DS record in the parent zone (typically via your domain registrar)
4. Validation Testing: Verify that DNSSEC is working correctly using validation tools
5. Key Management: Implement a regular key rotation schedule

DNS over HTTPS (DoH)

DNS over HTTPS encapsulates DNS queries in HTTPS, making them indistinguishable from regular web traffic and providing privacy, security, and potential circumvention of DNS-based blocking.

How DoH Works

1. DNS queries are sent as HTTPS requests to a DoH-compatible resolver
2. These requests are encrypted using TLS 1.2 or later
3. The resolver processes the query and returns the response via HTTPS
4. All traffic looks like standard web browsing to observers

DoH Implementation

For website visitors using DoH, no configuration is needed on your domain. However, for your own infrastructure:

• Client Configuration: Modern browsers (Firefox, Chrome, Edge) support DoH and can be configured to use it
• Resolver Support: Use public DoH resolvers (Google, Cloudflare, Quad9) or set up your own
• Server Implementation: Run your own DoH server using tools like dns-over-https or dnsdist

DNS over TLS (DoT)

DNS over TLS encapsulates DNS queries within a TLS (Transport Layer Security) connection, providing authentication and encryption similar to DoH but on a dedicated port (853).

How DoT Works

1. A TLS connection is established between the client and the DoT resolver on port 853
2. DNS queries and responses are exchanged over this encrypted connection
3. The TLS certificate authenticates the resolver to the client
4. Traffic patterns are still identifiable as DNS (unlike DoH), but the content is encrypted

DoT Implementation

• Client Configuration: Android 9+ supports DoT natively, other systems can use tools like stubby
• Resolver Support: Major public resolvers (Cloudflare, Google, Quad9) support DoT
• Server Implementation: Set up your own DoT server using Unbound, BIND, or dnsdist

DNS Infrastructure Protections

• Use Multiple DNS Providers: Set up secondary DNS with a different provider for redundancy
• Implement DNSSEC: Sign your DNS zones to protect against cache poisoning and tampering
• Hidden Primary: Keep your primary name server hidden behind secondary name servers
• Regular Audits: Conduct regular audits of DNS configurations and records
• Monitor DNS Health: Use monitoring tools to detect DNS issues and attacks
• Rate Limiting: Implement response rate limiting on authoritative nameservers
• DNS Firewall: Filter DNS traffic to block malicious domains and prevent data exfiltration

Domain Registration Security

• Registrar Lock: Enable domain locking to prevent unauthorized transfers
• Registry Lock: For critical domains, implement registry-level locks where available
• WHOIS Privacy: Use WHOIS privacy protection to hide personal information
• Multi-Factor Authentication: Enable MFA for your domain registrar account
• Use a Secure Email: Use a dedicated, secure email for domain administration
• Monitor Expiration: Set up alerts for domain expiration dates
• Extended Registration: Register important domains for multiple years

Email Security DNS Records

• SPF Records: Specify which servers are authorized to send email for your domain
• DKIM: Implement email message signing to verify message authenticity
• DMARC: Set a policy for handling emails that fail SPF or DKIM checks
• MTA-STS: Configure Mail Transfer Agent Strict Transport Security for email encryption
• TLSRPT: Receive reports on TLS encryption usage for emails sent to your domain

Essential DNS Security Checklist

Tools to Verify Your DNS Security Configuration

QuickDNSCheck also offers a comprehensive DNS Security Analyzer that tests your domain's security configuration and provides actionable recommendations.