What is DNS security?
DNS security encompasses protecting DNS infrastructure from attacks and using DNS as a control point for threat detection. This guide covers integrity protections like DNSSEC, confidentiality protocols like DoH and DoT, availability defenses, and the role of DNS logging in security operations.
4 min read
What DNS security is#
DNS security refers to the set of practices, protocols, and controls that protect the Domain Name System from manipulation while also leveraging DNS as a detection and enforcement point within a security program. Because nearly every network connection begins with a DNS query, the system is both a high-value attack target and a uniquely powerful place to observe and block threats.
DNS security operates along three axes: integrity (ensuring responses haven't been tampered with), confidentiality (preventing eavesdroppers from seeing queries), and availability (keeping DNS resolution functioning under attack).
Integrity (DNSSEC and response validation)#
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS responses so resolvers can verify that the data came from the authoritative source and was not modified in transit. It establishes a chain of trust from the root zone down through TLDs to individual domains. DNSSEC prevents cache poisoning and spoofing attacks but does not encrypt queries, an attacker on the network path can still see which domains are being resolved.
Confidentiality (encrypted DNS)#
Traditional DNS queries travel in plaintext over UDP, allowing anyone on the network path to observe or modify them. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt queries between the client and the recursive resolver. DoH wraps DNS inside HTTPS traffic on port 443, making it indistinguishable from normal web traffic. DoT uses a dedicated port (853) and is easier to identify and manage on enterprise networks. Both prevent passive eavesdropping but shift trust to the recursive resolver operator, since that operator still sees the plaintext query.
Availability (DDoS protection)#
DNS infrastructure is a frequent target for distributed denial-of-service (DDoS) attacks. The 2016 attack on Dyn demonstrated that taking down a major DNS provider can render large portions of the internet unreachable. Defenses include anycast routing (distributing authoritative servers across many locations), rate limiting, response rate limiting (RRL) to prevent DNS amplification, and maintaining multiple independent DNS providers for redundancy.
DNS as an attack surface#
DNS is exploited through multiple attack vectors:
- Cache poisoning. Injecting forged responses into a resolver's cache to redirect users silently
- DNS hijacking. Modifying NS records or registrar settings to take control of a domain's resolution
- DNS tunneling. Encoding data in DNS queries to bypass network controls for exfiltration or command-and-control (C2) communication
- Zone transfer leaks. Misconfigured authoritative servers that allow anyone to download the full zone file, exposing internal hostnames and infrastructure
- Subdomain takeover. Dangling DNS records that allow attackers to claim orphaned service endpoints
Each vector targets a different part of the DNS architecture, which is why DNS security requires a layered approach rather than a single solution.
DNS as a security control#
The same ubiquity that makes DNS an attack surface also makes it a powerful defensive chokepoint:
DNS filtering and protective DNS (often implemented as filtered or policy-enforced recursive resolution) block resolution of known-malicious domains at the resolver level, preventing connections to phishing sites, malware infrastructure, and C2 servers before any payload is delivered.
DNS logging at the recursive resolver level captures every domain queried by internal clients. This telemetry feeds threat detection (matching queries against threat intelligence feeds), incident response (identifying which endpoints contacted a C2 domain), and compliance reporting. Without DNS visibility, security teams have a significant blind spot.
Anomaly detection on DNS query patterns identifies tunneling, domain generation algorithms (DGAs), and beaconing behavior that other network monitoring tools may miss.
DNS security best practices#
A comprehensive DNS security program combines multiple controls:
- Deploy DNSSEC on all owned domains to protect response integrity
- Enable DNS logging at recursive resolvers and feed logs into security information and event management (SIEM) and security operations center (SOC) workflows
- Use DNS filtering or protective DNS to block known-malicious domains
- Encrypt DNS queries with DoH or DoT to prevent on-path observation
- Lock registrar accounts with multi-factor authentication (MFA), registrar lock, and registry lock to prevent hijacking
- Monitor DNS records for unauthorized changes to NS, A, MX, and TXT records
- Audit for dangling records to prevent subdomain takeover
- Maintain redundant DNS providers to ensure availability under DDoS conditions
More from DNS security
View allDNS records explained
DNS record types define how domain names resolve to addresses, route mail, delegate authority, and verify ownership. This reference covers A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, and CAA records along with their security implications.
What is DNS abuse?
DNS abuse is any harmful activity that exploits domain names or the DNS protocol, but defining exactly what qualifies, who should act, and how to respond without causing collateral damage has been one of the most divisive questions in internet governance. This guide covers the competing definitions, the key distinctions that determine appropriate response, and the governance framework that has emerged.
What is DNS?
The Domain Name System translates human-readable domain names into IP addresses through a hierarchical resolution process. This guide covers how DNS queries flow from stub resolvers through recursive and authoritative servers, along with caching, transport protocols, and core record types.