DNS Security
Protecting DNS infrastructure from attacks and ensuring query integrity.
Common DNS Attacks
DNS Cache Poisoning
- Inject false records into resolver cache
- Redirect users to malicious sites
- Prevention: DNSSEC, randomized ports
DNS Amplification DDoS
- Spoof source IP to target
- Small query, large response
- Prevention: Rate limiting, BCP38
DNS Hijacking
- Compromise authoritative servers
- Change NS records
- Prevention: Registry locks, monitoring
DNS Tunneling
- Encode data in DNS queries
- Bypass firewalls
- Prevention: Query analysis, monitoring
DNSSEC (DNS Security Extensions)
DNSSEC adds cryptographic signatures to DNS records.
How DNSSEC Works
1. Zone owner generates key pair
2. Signs zone records with private key
3. Public key published as DNSKEY record
4. Resolvers verify signatures
5. Chain of trust to rootDNSSEC Record Types
DNSKEY - Public signing keys
RRSIG - Resource record signatures
DS - Delegation signer
NSEC - Authenticated denial of existence
NSEC3 - Hashed NSECEnable DNSSEC Validation (BIND)
options {
dnssec-validation auto;
// Or manual trust anchors
// dnssec-validation yes;
// managed-keys-directory "/var/named/dynamic";
};Check DNSSEC
# Query with DNSSEC
dig +dnssec example.com
# Check validation
dig +sigchase example.com
# Verify chain
delv @8.8.8.8 example.comDNS over HTTPS (DoH)
Encrypts DNS queries over HTTPS.
Configure DoH Client (systemd-resolved)
# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com
DNSOverTLS=yesDoH Servers
Cloudflare: https://cloudflare-dns.com/dns-query
Google: https://dns.google/dns-query
Quad9: https://dns.quad9.net/dns-queryDNS over TLS (DoT)
Similar to DoH but uses dedicated port 853.
# Test DoT with kdig
kdig -d @1.1.1.1 +tls example.comBIND Security Hardening
options {
// Hide version
version "not disclosed";
// Disable recursion for public
recursion no;
// Limit queries
rate-limit {
responses-per-second 10;
window 5;
};
// Restrict zone transfers
allow-transfer { none; };
// Disable NOTIFY except for slaves
notify explicit;
also-notify { 192.168.1.3; };
// Source port randomization
use-v6-udp-ports { range 1024 65535; };
use-v4-udp-ports { range 1024 65535; };
};Response Policy Zones (RPZ)
Block malicious domains at DNS level.
// named.conf
zone "rpz.local" {
type master;
file "/etc/bind/zones/rpz.local";
};
options {
response-policy { zone "rpz.local"; };
};RPZ Zone File
$TTL 60
@ SOA localhost. root.localhost. 1 3600 600 604800 60
@ NS localhost.
; Block domains
malware.example.com CNAME .
*.malware.example.com CNAME .
; Redirect to sinkhole
phishing.com A 192.168.1.100Monitoring DNS
# Query logging
sudo rndc querylog on
# Watch queries
tail -f /var/log/named/query.log
# Detect tunneling (unusual query patterns)
grep -E "TXT|NULL|PRIVATE" /var/log/named/query.log
# Check for amplification
tcpdump -i eth0 port 53 and udpBest Practices
- Enable DNSSEC - Sign your zones
- Use DoH/DoT - Encrypt client queries
- Rate limit - Prevent abuse
- Monitor queries - Detect anomalies
- Registry locks - Protect domain registrations
- dnssec
- dns security
- dns over https
- doh
- dns attacks
- dns poisoning