Network Security

DNS Security Guide

8 min read

DNS is often overlooked but critical for security. Unprotected DNS allows attackers to redirect traffic, steal credentials, and surveil users.

DNS Threats

DNS Spoofing: Return fake responses
DNS Cache Poisoning: Corrupt resolver cache
DNS Tunneling: Exfiltrate data via DNS queries
DNS Hijacking: Redirect domains maliciously

DNSSEC

DNSSEC adds cryptographic signatures to DNS records, preventing spoofing.

# Check DNSSEC validation
dig +dnssec example.com

# Look for RRSIG records and AD flag
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2

DNS over HTTPS (DoH)

# Query via DoH (Cloudflare)
curl -H "accept: application/dns-json" \
  "https://cloudflare-dns.com/dns-query?name=example.com&type=A"

# Firefox DoH configuration
network.trr.mode = 2  # Enable DoH
network.trr.uri = https://cloudflare-dns.com/dns-query

DNS over TLS (DoT)

Encrypts DNS queries using TLS on port 853.

# systemd-resolved DoT config
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com
DNSOverTLS=yes

Recommendations

Enable DNSSEC validation on resolvers
Use DoH/DoT for client privacy
Monitor DNS queries for tunneling
Consider DNS filtering (threat feeds)

December 2024