DNS Security: A Complete Guide
DNS is the address book of the internet. It translates domain names into IP addresses, routes email to the right servers, and stores critical security records. It is also one of the most overlooked attack surfaces for small business. This guide covers the record types you need to know, the attacks that target DNS, and the defences that stop them.
DNS record types explained
Every domain has a set of DNS records stored at its authoritative nameserver. Understanding what each record does helps you spot misconfigurations and know what to protect.
Arecord
Maps a domain to an IPv4 address (e.g. 93.184.216.34). This is the most fundamental record type and tells browsers where to find your website.
AAAArecord
Maps a domain to an IPv6 address (e.g. 2606:2800:220:1:248:1893:25c8:1946). As IPv4 addresses run out, AAAA records ensure your site is reachable on modern networks.
MXrecord
Specifies which mail servers accept email for your domain, along with a priority value. Incorrect MX records cause email to bounce or be delivered to the wrong server.
NSrecord
Delegates your domain to specific nameservers. NS records determine which DNS provider is authoritative for your domain. If these are compromised, an attacker controls all your other records.
TXTrecord
Stores arbitrary text. Used for SPF (email authentication), DKIM public keys, domain ownership verification, and other security configurations.
CAArecord
Restricts which certificate authorities can issue SSL certificates for your domain. Without a CAA record, any CA can issue a certificate to anyone who requests one.
SOArecord
The Start of Authority record contains administrative information: the primary nameserver, the responsible party's email, a serial number, and timing values for zone transfers and caching.
You can inspect any domain's DNS records using our free DNS Lookup tool.
DNSSEC: signing DNS to prevent forgery
Standard DNS has no built-in way to verify that a response is authentic. When your browser asks "what is the IP for example.com?", it trusts whatever answer comes back first. DNSSEC (Domain Name System Security Extensions) fixes this by adding cryptographic signatures to DNS records.
How DNSSEC works:
1. Zone signing
The domain owner (or their DNS provider) generates a key pair. The private key signs every DNS record in the zone, producing RRSIG (Resource Record Signature) records.
2. Chain of trust
The parent zone (e.g. .com) stores a DS (Delegation Signer) record that contains a hash of the child zone's public key. This chain extends from the root zone down to your domain.
3. Validation
A DNSSEC-validating resolver checks the signature on every response using the public key. If the signature does not match, the response is rejected as forged.
Should you enable DNSSEC?
Yes. Most major DNS providers (Cloudflare, AWS Route 53, Google Cloud DNS) support one-click DNSSEC activation. It protects against cache poisoning and DNS spoofing at no cost. The main caveat is that misconfigured DNSSEC can make your domain unreachable, so follow your provider's documentation carefully.
DNS over HTTPS (DoH) and DNS over TLS (DoT)
Traditional DNS queries are sent in plaintext. Anyone on the network path (your ISP, a coffee shop Wi-Fi operator, a compromised router) can see which domains you are looking up. Encrypted DNS fixes this with two protocols:
DNS over HTTPS (DoH)
Sends DNS queries inside regular HTTPS traffic on port 443. Because it looks identical to normal web browsing, it is difficult for network operators to block or filter. Supported by major browsers (Firefox, Chrome, Edge) and resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8).
DNS over TLS (DoT)
Sends DNS queries over a TLS-encrypted connection on a dedicated port (853). Easier for network administrators to identify and manage compared to DoH, while still providing full encryption of DNS traffic.
Encrypted DNS protects the privacy of DNS queries but does not verify the authenticity of responses. For full protection, use encrypted DNS together with DNSSEC: DNSSEC ensures the answer is genuine, while DoH/DoT ensures nobody can eavesdrop on the question.
Common DNS attacks
DNS spoofing
An attacker intercepts DNS queries and returns forged responses, redirecting victims to malicious servers. This can happen on a local network (e.g. a compromised router) or through a man-in-the-middle position. Encrypted DNS (DoH/DoT) prevents spoofing on the wire.
DNS cache poisoning
The attacker sends forged responses to a DNS resolver, which caches the bad data and serves it to all users of that resolver. A single successful poisoning attack can redirect thousands of users. DNSSEC is the primary defence because it allows resolvers to reject unsigned or incorrectly signed responses.
DNS hijacking
An attacker gains control of your domain registrar or DNS provider account and changes your DNS records directly. They can redirect your website and email to servers they control. The most common cause is a weak password or missing two-factor authentication on the registrar account.
Subdomain takeover
A DNS record (usually a CNAME) points to an external service you no longer use, such as a deleted Heroku app or GitHub Pages site. An attacker claims that service and serves content under your subdomain. Regularly audit and remove stale DNS records to prevent this.
DNS tunnelling
Attackers encode data within DNS queries and responses to bypass firewalls and exfiltrate data. While this is more of a concern for enterprise networks than small businesses, monitoring for unusually large or frequent DNS queries can help detect it.
DNS security best practices
Enable two-factor authentication on your registrar and DNS provider
The single most effective step. Most DNS hijacking starts with a compromised account.
Enable DNSSEC
Prevents cache poisoning and spoofing by cryptographically signing your DNS records. Most providers offer one-click activation.
Add CAA records
Restricts which certificate authorities can issue SSL certificates for your domain, reducing the risk of fraudulent certificates.
Lock your domain
Registrar lock (clientTransferProhibited) prevents unauthorised domain transfers. Most registrars enable this by default.
Audit DNS records regularly
Remove stale CNAME and A records pointing to services you no longer use. These are the entry point for subdomain takeover attacks.
Use a reputable DNS provider
Providers like Cloudflare, AWS Route 53, and Google Cloud DNS offer built-in DDoS protection, DNSSEC support, and high availability.
Configure encrypted DNS for your organisation
Use DNS over HTTPS or DNS over TLS to prevent eavesdropping and on-path spoofing of DNS queries.
Set up monitoring and alerts
Services that monitor your DNS records for unexpected changes can alert you to potential hijacking before damage is done.
Frequently asked questions
What is DNSSEC and why does it matter?
DNSSEC adds cryptographic signatures to DNS records so resolvers can verify responses have not been tampered with. Without it, attackers can forge DNS responses (cache poisoning) and redirect your visitors to malicious servers. Most major DNS providers support one-click DNSSEC activation.
What is DNS cache poisoning?
An attack where a malicious actor injects forged DNS responses into a resolver's cache. Users of that resolver then receive the attacker's IP address instead of yours. DNSSEC is the primary defence because it allows resolvers to verify the authenticity of DNS responses.
What is the difference between DNS over HTTPS and DNS over TLS?
Both encrypt DNS queries to prevent eavesdropping. DoH sends queries over HTTPS on port 443, making DNS traffic indistinguishable from normal web browsing. DoT uses a dedicated port (853) and is easier for network administrators to manage. Both achieve the same privacy goal.
What is a CAA record?
A DNS record that restricts which certificate authorities can issue SSL certificates for your domain. Without one, any of hundreds of CAs can issue a cert. Adding a CAA record limits issuance to your chosen CAs only.
What is a dangling subdomain?
A DNS record pointing to a service you no longer use. An attacker can register that service and serve malicious content under your domain name. Regular DNS audits prevent this.
Check your DNS security now
CQwerty Shield checks DNS records, DNSSEC, CAA, dangling subdomains and more alongside SSL, DMARC, SPF and breach data. Free, no signup required.