DNSSEC (DNS Security Extensions) adds digital signatures to DNS records to verify their authenticity. When a DNS resolver receives a response, it verifies the cryptographic signature using the zone's public key — if the signature doesn't validate, the response is rejected. This prevents DNS cache poisoning attacks where an attacker injects false DNS records. DNSSEC creates a chain of trust from the DNS root down through TLDs to individual domain zones.

What is the difference between DNS over HTTPS and DNS over TLS?

Both DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries to prevent eavesdropping and tampering. DoH sends encrypted DNS queries inside standard HTTPS traffic on port 443 — this makes DNS traffic indistinguishable from regular web traffic, preventing interception but also making it harder for network administrators to monitor or filter DNS. DoT uses TLS on a dedicated port 853 — DNS traffic is encrypted but identifiable as DNS, allowing network administrators to monitor and apply policies while still protecting against eavesdropping.

What is DNS cache poisoning?

DNS cache poisoning (also called DNS spoofing) is an attack where an attacker injects malicious DNS records into a resolver's cache. When a victim queries the resolver for a domain, the resolver returns the attacker's fake IP address instead of the legitimate one, redirecting the victim to a malicious server — often a phishing site. Historically exploited using the Kaminsky attack (race condition in resolvers). DNSSEC cryptographic signatures and source port randomisation are the primary defences.

DNS Security — DNSSEC, DoH, DoT & Cache Poisoning

⚡ Quick Answer

DNSSEC = digital signatures on DNS records — verifies responses are authentic and haven't been tampered with (prevents cache poisoning). DoH (DNS over HTTPS) = encrypts DNS queries inside HTTPS on port 443 — hides DNS from ISPs/snoopers but harder for admins to filter. DoT (DNS over TLS) = encrypts DNS using TLS on port 853 — encrypted but identifiable as DNS traffic. Cache poisoning = attacker injects fake DNS records into a resolver. DNS hijacking = attacker changes where DNS queries are sent (via malware, rogue DHCP, or router compromise). DNSSEC prevents cache poisoning; DoH/DoT prevent eavesdropping and on-path manipulation.

Why DNS Security Matters

DNS is the internet's phone book — it translates human-readable domain names into IP addresses. Nearly every internet connection starts with a DNS query. Because traditional DNS operates in plaintext over UDP port 53, it is vulnerable to eavesdropping (anyone on the network can see which domains you're visiting), tampering (responses can be modified in transit), and poisoning (fake records can be injected into caches).

A successful DNS attack is particularly dangerous because it operates invisibly to the user. The user types a legitimate URL, the browser shows no obvious warning, and they are seamlessly delivered to an attacker-controlled server. Credentials, sensitive data, and malware delivery can all follow.

DNS Attack Types

DNS Cache Poisoning

Spoofing / Injection

Attacker sends forged DNS responses to a resolver before the legitimate response arrives, injecting a fake IP address into the resolver's cache. All subsequent clients querying that resolver get the malicious IP. Kaminsky attack (2008) demonstrated this at scale using transaction ID prediction. Defence: DNSSEC, randomise source ports and transaction IDs.

DNS Hijacking

Redirection

Attackers redirect DNS queries to a malicious DNS server that returns attacker-controlled IP addresses. Methods include: local hijacking (malware modifies /etc/hosts or DNS settings on the victim's device), router hijacking (attacker compromises home/office router to change its DNS settings), or rogue DHCP (attacker issues DHCP offers with a malicious DNS server IP).

DNS Amplification (DDoS)

DDoS / Reflection

Attacker sends small DNS queries with a spoofed source IP (victim's IP) to many open DNS resolvers. The resolvers send large DNS responses to the victim, amplifying traffic. A query of 60 bytes can generate a 3,000-byte response — 50x amplification. Defence: Response Rate Limiting (RRL) on DNS servers, BCP38 (ISP-level source address filtering).

DNS Tunnelling

Data Exfiltration

Attacker encodes data inside DNS queries and responses to exfiltrate data or establish a covert command-and-control channel — bypassing firewalls that allow DNS traffic. Encoded payloads appear in subdomains: exfiltrated-data.attacker.com. Detection: unusually long DNS query names, high query frequency, non-existent TLD patterns. Defence: DNS monitoring and anomaly detection.

DNSSEC — DNS Security Extensions

DNSSEC adds cryptographic digital signatures to DNS records so that resolvers can verify that responses are authentic and have not been tampered with in transit. It does not encrypt DNS queries — it only validates their authenticity. DNSSEC creates a chain of trust starting from the DNS root zone.

Zone Signing

The DNS zone owner generates a key pair. The private key signs each DNS resource record set (RRSET) creating a RRSIG (Resource Record Signature) record. The public key is published in the zone as a DNSKEY record.

Delegation Signer (DS) Record

A hash of the zone's DNSKEY (called a DS record) is published in the parent zone. For example, the .com zone holds a DS record for itstudyhub.com's DNSKEY. This links child zone trust to the parent zone's signature, building the chain of trust upward.

Root Zone Anchor

The chain terminates at the DNS root zone, which is signed by ICANN. Resolvers have the root zone's public key pre-configured as a trust anchor. This allows validation of the entire chain from root → TLD → domain → record.

Validation

A validating resolver retrieves the RRSIG and DNSKEY for each response and verifies the signature cryptographically. If validation fails, the resolver returns SERVFAIL — the client receives no answer. Poisoned or tampered records fail validation because the attacker cannot forge signatures without the zone's private key.

📌 Key DNSSEC Record Types

DNSKEY — the zone's public key, published in DNS so resolvers can verify signatures.

RRSIG — the digital signature for a resource record set. Included alongside every signed record in a DNSSEC response.

DS (Delegation Signer) — a hash of a child zone's DNSKEY, published in the parent zone. Creates the chain of trust between zones.

NSEC / NSEC3 — proves that a DNS name does NOT exist (authenticated denial of existence). Prevents attackers from fabricating negative responses.

DNS over HTTPS (DoH) and DNS over TLS (DoT)

While DNSSEC validates the authenticity of DNS responses, it does not encrypt them. Traditional DNS over UDP/53 is visible to anyone on the network — ISPs, network administrators, and on-path attackers can see every domain you query. DoH and DoT solve this by encrypting the DNS query and response.

🔒

DNS over HTTPS (DoH)

DNS queries are sent as HTTPS POST or GET requests inside standard TLS on port 443. DNS traffic is completely indistinguishable from regular HTTPS web traffic — ISPs, firewalls, and even corporate content filters cannot see or block DNS queries without blocking all HTTPS. Security benefit: strong encryption and confidentiality. Enterprise concern: bypasses DNS-based security controls and monitoring — some organisations block DoH to maintain visibility.

Port 443HTTPSHidden from ISP

🛡️

DNS over TLS (DoT)

DNS queries are sent over a dedicated TLS connection on port 853. Queries are encrypted but the traffic is identifiable as DNS — firewalls can allow or block port 853 specifically. Preferred in enterprise environments where encrypted DNS is desired but DNS visibility and policy enforcement must be maintained. RFC 7858. Commonly used by mobile operating systems and privacy-conscious resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8).

Port 853TLS encryptedIdentifiable as DNS

🎯 Exam Tip — DoH vs DoT Port Numbers

DoH = port 443 (HTTPS port — blends with web traffic). DoT = port 853 (unique DNS-over-TLS port — visible and blockable).

The exam may present a scenario where a company wants encrypted DNS but needs to maintain the ability to monitor and filter DNS traffic. The answer is DoT (port 853) — not DoH, because DoH blends into HTTPS and cannot be separately filtered.

Split-Horizon DNS

Split-horizon DNS (also called split-brain DNS or split-view DNS) uses different DNS answers for the same domain depending on who is asking. Internal users querying from inside the corporate network receive internal IP addresses (or hostnames of internal servers). External users querying from the internet receive public IP addresses.

📌 Split-Horizon DNS Use Case

A company has an application server accessible internally at 192.168.1.100 and externally via a public IP 203.0.113.45. Without split-horizon, internal users would connect through the external firewall to reach their own server — inefficient and potentially insecure.

With split-horizon: internal DNS server returns 192.168.1.100 for app.company.com → internal traffic stays internal. External DNS server (hosted publicly) returns 203.0.113.45 → internet users connect through the normal public path.

Security note: split-horizon prevents internal server names and addresses from being exposed to external queries — attackers cannot enumerate internal infrastructure via DNS.

DNS Security Comparison Table

Technology	What It Protects Against	What It Doesn't Do	Port
DNSSEC	Cache poisoning, tampered DNS responses, forged records	Does not encrypt queries — queries are still visible in plaintext	53 (UDP/TCP)
DNS over TLS (DoT)	Eavesdropping on DNS queries, on-path manipulation	Does not validate record authenticity (use with DNSSEC for full protection)	853 (TCP)
DNS over HTTPS (DoH)	Eavesdropping, ISP monitoring, network-level censorship	Harder for enterprises to filter/monitor; doesn't authenticate records	443 (TCP)
DNSSEC + DoT/DoH	Both authentication AND encryption — full DNS security	Not protection against DNS hijacking at the endpoint (malware)	853 or 443
Split-Horizon DNS	Internal infrastructure enumeration by external attackers	Does not prevent attacks against the DNS server itself	53 (UDP/TCP)

Exam Scenarios

Scenario 1: Users are being redirected to a fake banking site even though they type the correct URL. Investigation reveals the local DNS resolver has incorrect records for the bank's domain. What attack occurred and what is the primary defence? Answer: DNS cache poisoning. The attacker injected false records into the resolver's cache. The primary defence is DNSSEC — cryptographic signatures on DNS records allow the resolver to detect and reject tampered responses.

Scenario 2: A company wants to encrypt DNS queries from employee devices to prevent ISPs from logging which sites employees visit, while still allowing the IT team to monitor and filter DNS traffic at the network level. Which encrypted DNS protocol should they use? Answer: DNS over TLS (DoT) on port 853. DoT encrypts DNS queries but uses a dedicated port that is identifiable and manageable — IT can monitor port 853 traffic and apply filtering policy. DoH on port 443 would blend with HTTPS and be much harder to inspect.

Scenario 3: An organisation needs internal users to resolve app.company.com to an internal private IP address while external users resolve the same name to a public IP. What DNS technique achieves this? Answer: Split-horizon (split-brain) DNS. An internal DNS server returns the private IP to internal clients; an external-facing DNS server returns the public IP to internet clients. This also prevents internal IP ranges from being exposed in public DNS.

Scenario 4: A security analyst notices unusually long subdomains in DNS queries leaving the network — strings like "dGhpcyBpcyBzZWNyZXQgZGF0YQ.attacker.com". What type of attack is this? Answer: DNS tunnelling. The attacker is encoding data (likely Base64) inside DNS query subdomains to exfiltrate data or maintain a covert C2 channel. Detection relies on DNS anomaly monitoring — abnormal subdomain length, query frequency, and entropy analysis.

Scenario 5: A company's home office employees have their DNS settings changed by malware on their router, redirecting all DNS queries to an attacker-controlled server. What type of attack is this? Answer: DNS hijacking via router compromise. The attacker changed the router's DNS configuration so all DHCP clients receive a malicious DNS server address. DNSSEC alone does not prevent this — even with DNSSEC, if the client's resolver is an attacker-controlled server that ignores validation. Defence: secure router credentials, firmware updates, and monitoring for DNS setting changes.

Scenario 6: What record type in DNSSEC proves that a DNS name does NOT exist, preventing attackers from fabricating negative responses? Answer: NSEC (Next Secure) or NSEC3 records. They provide authenticated denial of existence — the resolver can cryptographically verify that a queried name truly doesn't exist in the zone, preventing an attacker from claiming a domain doesn't exist when it does.

DNS Record Types and Security Relevance

Understanding DNS record types is both a Network+ exam requirement and essential context for understanding why DNS security controls like DNSSEC, SPF, DKIM, and DMARC work the way they do — since all of them rely on specific DNS record types.

A record: maps a hostname to an IPv4 address. The most common DNS record type. When you look up google.com, the A record returns its IPv4 address. AAAA record: maps a hostname to an IPv6 address. Both A and AAAA records are targeted by DNS spoofing attacks — an attacker who can forge a response can redirect traffic for any hostname.

MX record: specifies which mail servers accept email for a domain. The value is a hostname (which must itself have an A/AAAA record) and a priority number — lower number = higher priority. When another mail server wants to deliver email to user@company.com, it queries the MX record for company.com. MX records are directly relevant to email security — misconfigured MX records can cause email to be delivered to the wrong server.

TXT record: stores arbitrary text data. This is the mechanism used by SPF (specifies authorized mail server IPs), DKIM (publishes public keys for signature verification), DMARC (specifies enforcement policy), and various domain ownership verification methods. TXT records are critical for email security but are also used for other purposes — Google Search Console verification, Microsoft 365 tenant verification, and general domain attribute declarations. An attacker with DNS zone control can modify TXT records to redirect email traffic or invalidate security controls.

PTR record: reverse DNS — maps an IP address back to a hostname. Used for logging (recording the hostname associated with an IP in log files), email server validation (receiving mail servers check if the sending IP's PTR record matches the claimed domain), and network troubleshooting. Absence of a PTR record for a mail server IP is a spam signal — legitimate mail servers have matching forward and reverse DNS.

NS record: specifies the authoritative name servers for a domain. Compromising or hijacking NS records is a powerful attack — redirect the NS records to your own servers and you control all DNS for the domain. SOA record: Start of Authority — contains administrative information about the DNS zone including the primary name server, zone administrator email, and timing parameters. One SOA per zone.

DNS Sinkholing

DNS sinkholing is a defensive technique where a DNS server is configured to return a false IP address for known malicious domains — redirecting the connection to a controlled server (the "sinkhole") instead of the attacker's infrastructure. When malware-infected machines attempt to contact their command-and-control (C2) server, the DNS sinkhole intercepts the lookup and returns the sinkhole's IP address. The connection goes to the sinkhole instead of the real C2 server, effectively isolating the malware from its controller.

From a security operations perspective, sinkholes provide two benefits: they neutralize active malware (infected machines cannot receive commands or exfiltrate data) and they identify infected hosts (the sinkhole server logs all connection attempts, revealing which internal IP addresses are querying malicious domains). This is valuable for incident response teams trying to identify compromised systems. DNS sinkholes are a core feature of enterprise DNS security platforms such as Cisco Umbrella, Infoblox, and Palo Alto DNS Security.

DNS Blocklists (DNSBL)

A DNS Blocklist (DNSBL), formerly called a DNS Blacklist, is a database of known malicious or spam-associated IP addresses and domains that is queryable via DNS. Mail servers have used DNSBLs for spam filtering for decades — when receiving an email, the mail server queries a DNSBL to check whether the sending server's IP is listed as a known spam source. If it is, the email is rejected or scored as spam.

Modern DNS security extends this concept from email to all DNS traffic. Threat intelligence feeds populate blocklists of known malware distribution domains, phishing sites, botnet C2 servers, and other malicious infrastructure. DNS resolvers configured with these feeds automatically block queries to listed domains, returning an NXDOMAIN response or sinkhole IP instead of resolving the request. This provides automatic protection at the DNS layer for all devices on the network, regardless of whether they have endpoint security software installed — including IoT devices that cannot run traditional antivirus.

DNS Tunneling

DNS tunneling is an attack technique (and occasionally a legitimate tool) that encodes arbitrary data into DNS queries and responses to create a covert communication channel that bypasses traditional network controls. DNS is typically allowed through firewalls because it is essential for internet access — attackers exploit this by encoding data in DNS query names and TXT records, creating a bidirectional communication channel hidden within what appears to be normal DNS traffic.

A malware infection might use DNS tunneling to exfiltrate data by encoding file contents into DNS lookup queries: aGVsbG8gd29ybGQ.attacker-controlled.com where the subdomain contains base64-encoded data. The attacker's authoritative DNS server receives these queries and decodes the data. Responses encode commands back to the malware using DNS TXT records. Because many organizations permit DNS traffic with minimal inspection, DNS tunneling can persist undetected for extended periods.

Detection methods for DNS tunneling include monitoring for abnormally long DNS query names (legitimate queries are rarely more than a few dozen characters), high volumes of queries to a single domain, unusual TXT record responses, and domains with high Shannon entropy in their subdomains (indicating encoded binary data). DNS security platforms and SIEM rules specifically watch for these patterns.

Recursive vs Authoritative DNS Servers

Understanding the distinction between recursive and authoritative DNS servers is a fundamental networking concept tested on Network+ and relevant to DNS security discussions.

Authoritative DNS servers hold the actual DNS records for a zone — they are the canonical source of truth for a domain's IP addresses, mail records, and other records. When you register a domain and publish DNS records through your registrar or DNS hosting provider (Route 53, Cloudflare DNS), you are configuring authoritative servers. They only answer queries about zones they are authoritative for.

Recursive (or resolver) DNS servers answer client queries by hunting through the DNS hierarchy on the client's behalf. When your laptop queries its configured DNS server (typically provided by DHCP from your ISP or IT department), that server is a resolver. If it doesn't have the answer cached, it queries root servers, then TLD servers, then the authoritative servers, then returns the answer to your client and caches it. Corporate DNS servers, ISP resolvers, and public resolvers like 8.8.8.8 (Google) and 1.1.1.1 (Cloudflare) are all recursive resolvers.

Security implications: DNS cache poisoning attacks target recursive resolvers — if an attacker can poison the cache of a widely-used resolver, many clients are affected. DNSSEC prevents cache poisoning by validating that records came from the authoritative server. Open resolvers (recursive resolvers that answer queries from any IP on the internet) are used in DNS amplification DDoS attacks — attackers spoof the victim's IP in DNS queries to open resolvers, which send large responses to the victim's IP, overwhelming it with traffic.

Prepare for Security+ and Network+

Free cheat sheets, study guides, and practice scenarios.

View Cheat Sheet →

DNS Security Explained