dns.pizza
Sign In
Back to Learn
Security15 min read

DNS Security Best Practices

Protect your domain with DNSSEC, CAA records, and email authentication. Learn to prevent DNS hijacking and spoofing attacks.

Why DNS Security Matters

DNS is a foundational protocol of the internet, but it was designed in an era when security wasn't a primary concern. Without proper security measures, your domain is vulnerable to attacks that can:

  • Redirect your visitors to malicious websites
  • Intercept sensitive communications
  • Send phishing emails that appear to come from your domain
  • Issue fraudulent SSL certificates for your domain
  • Damage your brand reputation

The good news is that modern DNS security tools are readily available and straightforward to implement.

Common DNS Threats

DNS Cache Poisoning

Attackers inject fraudulent DNS records into resolver caches, redirecting users to malicious servers.

Impact: Users visiting your domain may be sent to phishing sites.

DNS Hijacking

Unauthorized changes to DNS records, often through compromised registrar accounts or insecure zone transfers.

Impact: Complete control over where your domain points.

DNS Tunneling

Attackers encode data in DNS queries to bypass firewalls and exfiltrate data.

Impact: Data theft and command-and-control communications.

DNS Amplification DDoS

Attackers use DNS servers to amplify attack traffic, overwhelming target servers.

Impact: Service disruption and potential infrastructure costs.

DNSSEC: Authenticating DNS Responses

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses haven't been tampered with.

How DNSSEC Works

  1. The domain owner generates cryptographic keys (ZSK and KSK)
  2. DNS records are signed with the private key
  3. The public key is published in the DNS (DNSKEY record)
  4. A hash of the key is stored at the parent zone (DS record)
  5. Resolvers verify signatures using the chain of trust from the root zone

DNSSEC Record Types

  • DNSKEY: Contains the public key used to verify signatures
  • RRSIG: Contains the signature for a record set
  • DS: Delegation Signer record linking child to parent zone
  • NSEC/NSEC3: Provides authenticated denial of existence

Implementing DNSSEC

Most DNS providers now support DNSSEC with one-click activation:

  1. Enable DNSSEC in your DNS provider's control panel
  2. Copy the DS record details provided
  3. Add the DS record at your domain registrar
  4. Wait for propagation (can take up to 48 hours)
  5. Verify DNSSEC is working using a validation tool
Check DNSSEC Status

CAA Records: Certificate Authority Control

CAA (Certificate Authority Authorization) records specify which Certificate Authorities are allowed to issue SSL/TLS certificates for your domain.

Why CAA Matters

Without CAA records, any CA can issue a certificate for your domain. This means:

  • Attackers could obtain certificates through social engineering or CA compromise
  • Fraudulent certificates could enable man-in-the-middle attacks
  • You have no visibility into certificate issuance attempts

Since 2017, all CAs are required to check CAA records before issuing certificates.

Configuring CAA Records

Add CAA records to specify your authorized CAs:

example.com.    CAA    0 issue "letsencrypt.org"
example.com.    CAA    0 issue "digicert.com"
example.com.    CAA    0 issuewild "letsencrypt.org"
example.com.    CAA    0 iodef "mailto:security@example.com"
  • issue: Allows the CA to issue standard certificates
  • issuewild: Allows wildcard certificate issuance
  • iodef: Email address for violation reports

Email Authentication: SPF, DKIM, and DMARC

Email spoofing is one of the most common attack vectors. Without proper authentication, anyone can send emails that appear to come from your domain. Implementing SPF, DKIM, and DMARC protects your domain and your recipients.

SPF (Sender Policy Framework)

SPF defines which mail servers are authorized to send email on behalf of your domain. Receiving servers check the sender's IP against your SPF record.

example.com.    TXT    "v=spf1 include:_spf.google.com include:sendgrid.net -all"

Components explained:

  • v=spf1: SPF version
  • include:: Include another domain's SPF record
  • ip4: or ip6:: Allow specific IP addresses
  • -all: Fail all other senders (strict)
  • ~all: Soft fail other senders (less strict)

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. Receiving servers verify the signature using a public key published in DNS.

selector._domainkey.example.com.    TXT    "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

DKIM provides:

  • Message integrity verification
  • Authentication of the sending domain
  • Protection against message modification in transit

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together, specifying what to do when authentication fails and providing reporting.

_dmarc.example.com.    TXT    "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100"

DMARC policies:

  • p=none: Monitor only, don't take action
  • p=quarantine: Send failing emails to spam
  • p=reject: Reject failing emails entirely

Tip: Start with p=none to monitor, then gradually move to quarantine and finally reject as you confirm legitimate emails pass.

Check Email Authentication

Registry Lock

Registry lock (also called domain lock or registrar lock) is a security feature that prevents unauthorized changes to critical domain settings at the registry level.

With registry lock enabled:

  • Changes require manual verification (phone call, in-person, etc.)
  • Protects against social engineering attacks on your registrar
  • Prevents unauthorized domain transfers
  • Guards against DNS hijacking through registrar compromise

Recommendation: Enable registry lock for all critical domains, especially those handling sensitive data or high traffic.

DNS Provider Security

Choose a Secure DNS Provider

Your DNS provider should offer:

  • Two-factor authentication (2FA) for account access
  • Role-based access control
  • Audit logs for all changes
  • DDoS protection
  • DNSSEC support
  • API access with proper authentication

Secure Your DNS Account

Basic account security practices:

  • Use a strong, unique password
  • Enable two-factor authentication
  • Use a dedicated email for domain management
  • Regularly review authorized users and API keys
  • Monitor account activity and DNS changes

DNS Security Checklist

Enable DNSSEC on all domains
Configure CAA records to restrict certificate issuance
Implement SPF to authorize mail senders
Set up DKIM for email signing
Configure DMARC with monitoring then enforcement
Enable registry lock on critical domains
Use 2FA on all registrar and DNS accounts
Monitor DNS records for unauthorized changes
Keep nameserver software updated
Use a reputable DNS provider with DDoS protection

Analyze Your Domain Security

Use our free tools to check your domain's DNS security configuration:

Security Score AnalysisDNSSEC ValidatorEmail Authentication
Back to

All DNS Learning Resources