DNS Security Complete Guide: DNSSEC, DDoS & DNS Attacks 2024

Key Takeaways

DNS is critical infrastructure, often overlooked
DNSSEC adds authentication to DNS
DNS amplification enables massive DDoS
DNS over HTTPS adds privacy

1. DNS Fundamentals
2. DNS Attack Types
3. DNS Hijacking
4. DNS Amplification
5. DNSSEC
6. DNS over HTTPS/TLS
7. DNS Hardening
8. DNS Monitoring

1. DNS Security Fundamentals

DNS translates domain names to IP addresses. It's a critical piece of internet infrastructure that was designed without security in mind. Compromising DNS can redirect all traffic to attacker-controlled servers.

2. DNS Attack Types

DNS Spoofing: Return false DNS responses
DNS Cache Poisoning: Inject fake records into resolver
DNS Hijacking: Compromise registrar or DNS server
DNS Amplification: DDoS using DNS reflection
DNS Tunneling: Exfiltrate data via DNS queries
NXDOMAIN Attack: Overwhelm DNS with nonexistent domains

3. DNS Hijacking

Hijacking Methods

# Router DNS hijacking
# Attacker changes router DNS settings

# Registrar compromise
# Attacker gains access to domain registrar account
# Changes nameservers to attacker-controlled

# Man-in-the-middle
# Intercept DNS queries, return false responses

# Malware
# Change local DNS settings (/etc/resolv.conf, Windows DNS)

4. DNS Amplification Attacks

# DNS Amplification DDoS:
# 1. Attacker sends DNS query with spoofed source IP (victim)
# 2. DNS server responds to victim
# 3. Response is much larger than query (amplification factor 28-54x)
# 4. Victim overwhelmed with traffic

# Amplification-prone record types:
# - ANY (deprecated)
# - TXT (large records)
# - DNSSEC responses (signatures add size)

# Prevention:
# - Disable recursion on authoritative servers
# - Rate limiting
# - Response Rate Limiting (RRL)

5. DNSSEC Implementation

# DNSSEC adds cryptographic signatures to DNS
# Verifies response authenticity

# DNSSEC record types:
# RRSIG - Signature for record set
# DNSKEY - Public key
# DS - Delegation signer (trust chain)
# NSEC/NSEC3 - Authenticated denial of existence

# Verify DNSSEC
dig +dnssec example.com

# Check if domain is signed
dig DS example.com @8.8.8.8

6. DNS over HTTPS/TLS

# DoH (DNS over HTTPS) - Port 443
# DoT (DNS over TLS) - Port 853

# Benefits:
# - Encrypts DNS queries (privacy)
# - Prevents DNS interception
# - Bypasses some censorship

# Test with curl (DoH)
curl -H 'accept: application/dns-json' \
  'https://1.1.1.1/dns-query?name=example.com'

# Providers:
# Cloudflare: 1.1.1.1 / https://cloudflare-dns.com/dns-query
# Google: 8.8.8.8 / https://dns.google/dns-query
# Quad9: 9.9.9.9 / https://dns.quad9.net/dns-query

7. DNS Server Hardening

DNS Hardening Checklist

✅ Separate authoritative and recursive servers
✅ Enable DNSSEC signing
✅ Implement Response Rate Limiting (RRL)
✅ Disable unnecessary recursion
✅ Use DNS firewall / RPZ
✅ Keep DNS software updated
✅ Strong registrar account security (MFA)
✅ Registry lock on critical domains

8. DNS Monitoring

# Monitor for:
# - Zone transfer attempts
# - Unusual query volumes
# - DNS tunneling patterns (long subdomains)
# - NXDOMAIN spikes
# - Changes to critical records

# DNS logging
query-log yes;  # BIND
dnstap         # Modern DNS tap

# External monitoring
# - Passive DNS services
# - Certificate Transparency logs
# - Regular record verification

FAQ

Is DNSSEC widely deployed?

DNSSEC deployment is growing but still limited. Many domains aren't signed, and many resolvers don't validate. It's important for high-security domains but not universal yet.

Network Security Subdomain Takeover Infrastructure Security