HxHippy

DNS Security

Secure DNS with DNSSEC, DNS over HTTPS, and protection against common attacks.

Last updated: 2025-01-15

DNS Security

Protecting DNS infrastructure from attacks and ensuring query integrity.

Common DNS Attacks

DNS Cache Poisoning

  • Inject false records into resolver cache
  • Redirect users to malicious sites
  • Prevention: DNSSEC, randomized ports

DNS Amplification DDoS

  • Spoof source IP to target
  • Small query, large response
  • Prevention: Rate limiting, BCP38

DNS Hijacking

  • Compromise authoritative servers
  • Change NS records
  • Prevention: Registry locks, monitoring

DNS Tunneling

  • Encode data in DNS queries
  • Bypass firewalls
  • Prevention: Query analysis, monitoring

DNSSEC (DNS Security Extensions)

DNSSEC adds cryptographic signatures to DNS records.

How DNSSEC Works

1. Zone owner generates key pair
2. Signs zone records with private key
3. Public key published as DNSKEY record
4. Resolvers verify signatures
5. Chain of trust to root

DNSSEC Record Types

DNSKEY  - Public signing keys
RRSIG   - Resource record signatures
DS      - Delegation signer
NSEC    - Authenticated denial of existence
NSEC3   - Hashed NSEC

Enable DNSSEC Validation (BIND)

options {
    dnssec-validation auto;

    // Or manual trust anchors
    // dnssec-validation yes;
    // managed-keys-directory "/var/named/dynamic";
};

Check DNSSEC

# Query with DNSSEC
dig +dnssec example.com

# Check validation
dig +sigchase example.com

# Verify chain
delv @8.8.8.8 example.com

DNS over HTTPS (DoH)

Encrypts DNS queries over HTTPS.

Configure DoH Client (systemd-resolved)

# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com
DNSOverTLS=yes

DoH Servers

Cloudflare:  https://cloudflare-dns.com/dns-query
Google:      https://dns.google/dns-query
Quad9:       https://dns.quad9.net/dns-query

DNS over TLS (DoT)

Similar to DoH but uses dedicated port 853.

# Test DoT with kdig
kdig -d @1.1.1.1 +tls example.com

BIND Security Hardening

options {
    // Hide version
    version "not disclosed";

    // Disable recursion for public
    recursion no;

    // Limit queries
    rate-limit {
        responses-per-second 10;
        window 5;
    };

    // Restrict zone transfers
    allow-transfer { none; };

    // Disable NOTIFY except for slaves
    notify explicit;
    also-notify { 192.168.1.3; };

    // Source port randomization
    use-v6-udp-ports { range 1024 65535; };
    use-v4-udp-ports { range 1024 65535; };
};

Response Policy Zones (RPZ)

Block malicious domains at DNS level.

// named.conf
zone "rpz.local" {
    type master;
    file "/etc/bind/zones/rpz.local";
};

options {
    response-policy { zone "rpz.local"; };
};

RPZ Zone File

$TTL 60
@   SOA localhost. root.localhost. 1 3600 600 604800 60
@   NS  localhost.

; Block domains
malware.example.com     CNAME   .
*.malware.example.com   CNAME   .

; Redirect to sinkhole
phishing.com            A       192.168.1.100

Monitoring DNS

# Query logging
sudo rndc querylog on

# Watch queries
tail -f /var/log/named/query.log

# Detect tunneling (unusual query patterns)
grep -E "TXT|NULL|PRIVATE" /var/log/named/query.log

# Check for amplification
tcpdump -i eth0 port 53 and udp

Best Practices

  1. Enable DNSSEC - Sign your zones
  2. Use DoH/DoT - Encrypt client queries
  3. Rate limit - Prevent abuse
  4. Monitor queries - Detect anomalies
  5. Registry locks - Protect domain registrations
advanced DNS Updated 2025-01-15
  • dnssec
  • dns security
  • dns over https
  • doh
  • dns attacks
  • dns poisoning