CQwerty

Blog

DNSSEC Explained: How to Protect Your Domain from DNS Spoofing

← Back to blog
2026-04-17·6 min readDNSSECDNS

What is DNSSEC?

DNS Security Extensions (DNSSEC) adds cryptographic signatures to DNS records. When a resolver looks up your domain, DNSSEC lets it verify that the response actually came from the authoritative nameserver and was not tampered with in transit.

Standard DNS has no authentication. An attacker who can intercept DNS traffic can return fake IP addresses, redirecting your users to malicious servers. This is called DNS cache poisoning or DNS spoofing.

How DNS spoofing works

  • A user asks their DNS resolver for the IP address of yoursite.com
  • An attacker intercepts the query or poisons the resolver's cache
  • The resolver returns the attacker's IP address instead of yours
  • The user's browser connects to the attacker's server
  • The attacker serves a phishing page or intercepts credentials

    • This attack is invisible to the user. The URL bar shows the correct domain name.

    How DNSSEC prevents it

    DNSSEC works like a chain of trust:

  • The root zone signs the .com zone
  • The .com zone signs your domain's zone
  • Your domain's zone signs each individual DNS record

    • Each level uses public-key cryptography. Resolvers can verify the entire chain, from root to record. If any signature is invalid or missing, the resolver rejects the response.

    DNSSEC record types

  • RRSIG contains the cryptographic signature for a record set
  • DNSKEY holds the public key used to verify signatures
  • DS (Delegation Signer) links a parent zone to a child zone's key
  • NSEC/NSEC3 proves that a requested record does not exist (prevents enumeration)

    • How to enable DNSSEC

    Step 1: Enable at your DNS provider

    Most managed DNS providers (Cloudflare, Route 53, Google Cloud DNS) support DNSSEC. Enable it in your DNS dashboard. The provider generates the signing keys automatically.

    Step 2: Add the DS record at your registrar

    Your DNS provider gives you a DS record. Add this record at your domain registrar. This links the parent zone (.com) to your domain's signing key.

    Step 3: Verify

    Use a DNSSEC checker to confirm the chain of trust is complete and all signatures are valid.

    Common issues

    IssueCauseFix
    SERVFAIL responsesBroken signature chainVerify DS record matches DNSKEY
    Missing DS recordRegistrar not updatedAdd DS record at registrar
    Expired signaturesKey rotation failureRe-sign zone or check provider settings
    Resolver ignores DNSSECResolver does not validateUse a validating resolver (1.1.1.1, 8.8.8.8)

    Should you enable DNSSEC?

    Yes. DNSSEC is now supported by all major DNS providers and registrars. The setup takes minutes with managed DNS. The only reason to delay is if your registrar does not support DS record management, which is increasingly rare.

    Key takeaways

  • Standard DNS has no authentication and is vulnerable to spoofing
  • DNSSEC adds cryptographic verification to every DNS response
  • Setup requires enabling signing at your DNS provider and adding a DS record at your registrar
  • Verify your chain of trust after setup to catch configuration errors

    • Check your DNSSEC status now

    ShareTwitterLinkedInEmailRSS

    Ready to check your domain?

    Run all 18 security checks in 2 minutes. Free, no signup required.

    Check your DNSSEC