What Are Domain Name Security Extensions?

DNS security provides protection from attacks aimed at name server systems by employing a chain of trust to validate responses from DNS servers.

DNSSEC helps maintain this chain of trust through its collection of DS (delegation signer) records that each contain hashed fingerprints of DNSKEY records within their parent zone.

Benefits of DNS security

DNS servers were built at an earlier stage in Internet history when security wasn’t considered an important priority, leaving them susceptible to attacks such as spoofing and cache poisoning. Solutions designed to strengthen DNS security address this flaw by verifying authentic responses without compromises being made available on them.

DNS-layer security can protect users against many forms of malware and ransomware by making sure requests reach legitimate sites and services. These solutions use data collected from billions of requests, WHOIS records, and Border Gateway Protocol (BGP) routing information to pinpoint suspicious domains with high precision.

DNSSEC, or Domain Name System Security Extensions, is a set of Internet Engineering Task Force (IETF) specifications designed to provide DNS clients with authentication of DNS data origin and denial of existence while not guaranteeing confidentiality or availability. Cryptographic security for DNS data can be achieved using digital signatures based on public key cryptography.

How does DNS security works?

DNS servers are essential components of any online-connected business, yet are one of the most vulnerable points when it comes to cyberattacks. Therefore, it is critical that businesses incorporate DNS security measures as part of their cybersecurity strategies.

DNS security utilizes cryptographic signatures to authenticate DNS data, protecting against attacks such as DNS spoofing and cache poisoning by validating that it is authentic and allows both recursive DNS servers and authoritative domain servers to verify if their response is valid.

Domain Name System Security Extensions (DNSSEC) is an IETF specification which adds extra layers of security to DNS protocol, including origin authentication and authenticated denial-of-existence but not availability or confidentiality. These extensions ensure that DNS responses are authentic, have not been altered during transmission, and provide effective protection from cache poisoning; additionally it prevents forgeries by verifying digital signatures starting with root servers then TLDs and finally with the requested domain’s recursive DNS server.

Random subdomain attack

Random subdomain attacks are a type of DNS attack which uses hardware and resources to attempt to resolve nonexistent domains, leading the resolver to fill its negative cache with NXDOMAIN errors that prevent legitimate queries and degrade performance for all on the network.

An adversary attempting to carry out this attack sends requests for nonexistent subdomains to recursive DNS servers, forcing these recursive servers to search authoritative nameservers for them and generate NXDOMAIN responses which flood recursive caches, leading to inefficient or even crashy performance of DNS services.

Use of DNSSEC and blocking IP addresses that generate too many SERVFAIL replies can protect DNS recursive servers against random subdomain attacks. Ask your DNS resolver vendor to incorporate this capability in their product to reduce these types of attacks.

What is DNSSEC?

DNSSEC is an Internet Engineering Task Force (IETF) standard that adds security to the Domain Name System by providing authentication and authenticated denial-of-existence protection against attacks such as DNS spoofing, cache poisoning and hijacking.

System works by adding digital signatures to DNS records, enabling resolvers to verify the validity of DNS data stored within a DNS server by verifying if its digital signature matches up with records stored inside its storage capacity.

To implement DNSSEC, network admins need to generate a public-private key pair called a zone-signing key (ZSK). The ZSK will be used to sign each record within its zone with its private key before publishing as RRSIG records.

Starting at the root of DNS, authenticated chains can be verified using a validating resolver. If any query is submitted to an unauthenticated server, a validating resolver can reject its response as invalid.

Ways of protecting against DNS-based attacks

No matter if you rely on your own DNS servers, a cloud-based solution, or local ISP for DNS hosting needs, there are various strategies to protect yourself against DNS-based attacks. From keeping software up-to-date to multifactor authentication and using DDoS mitigation services – each offers protection from DNS attacks.

DNS protection can provide your business with much-needed defense against attackers attempting to disrupt operations, extort payments or steal information. By employing DNSSEC, you can help ensure that DNS responses sent back from servers are authenticated and will not be altered on their journey to end users.

One common method of DNS attacks is cache poisoning. Hackers employ this strategy by sending false replies with falsified source IP addresses in response to information requests; once cached, this false data can then be used to direct devices towards fraudulent websites – making the attack extremely hard to stop! Cache poisoning attacks are difficult to combat and may target ISPs, corporate resolvers and personal or business routers alike.

The Importance of Using Domain Name System Security Extensions

DNSSEC is an Internet Engineering Task Force (IETF) specification used to protect information provided by the domain name system. It provides authentication of DNS data as well as authenticated denial of existence but does not ensure confidentiality or availability.

The IETF revised RFC 2535 specification to permit easier key management at delegate points between parent and child zones, making DS records much simpler to create and transfer between zones.

What is DNS security?

DNS (Domain Name System), is the backbone of Internet activity. When cybercriminals attack it, they can exploit users to fraudulent websites, steal sensitive data or overwhelm servers with requests, ultimately leading them to shut down. DNS security provides an effective defense against such attacks and helps safeguard your company’s online presence.

DNSSEC was designed with security in mind, unlike its predecessor which was developed without this capability. DNSSEC uses digital signatures and public key cryptography to verify DNS lookup tables, creating an authentication chain from root zone down through delegated zones that is verified through DNSKEY records containing public keys for each zone; then resolvers check these signatures to validate them as authentic.

DNSSEC is an essential element of IT security strategies, but it cannot fully safeguard against all forms of threats. That’s why businesses must employ an all-inclusive solution that combines DNSSEC with other security protocols – such as next-generation firewalls (NGFWs) which help prevent attacks by encrypting DNS queries and inspecting results to detect signs of suspicious behavior.

Why is DNS security important?

The DNS is a crucial component of the Internet, used by various network devices to resolve domain names into IP addresses. Because attackers know this service can be exploited to disrupt online activity or steal personal information, security for this critical infrastructure must remain resilient and secure; to accomplish this goal, robust DNS security strategies include multiple layers of defense like redundant servers being deployed simultaneously using security protocols like DNSSEC and rigorous logging requirements for better protection.

DNSSEC offers strong cryptographic authentication of DNS data using digital signatures based on public key cryptography. It ensures that any DNS responses come directly from an authoritative DNS server serving the domain in question and have not been altered during transit.

DNSSEC ensures the root zone remains genuine and free of tampering by means of an interdependent chain of trust starting with signed DS records in child zones all the way up to an annual Root Zone Signing Ceremony, in which selected individuals from around the globe meet to sign the root DNSKEY RRset in a secure manner.

What are some common DNS attacks?

Recent attacks against DNS servers that took down well-known websites like Twitter, Reddit, and Etsy illustrate just how crucial it is to protect your network against DNS attacks. Such cyberattacks, which take advantage of vulnerabilities within DNS Internet protocol protocols to gain entry, are relatively common – potentially costing companies dearly in terms of business disruption costs and reputational loss.

Cache poisoning is one of the most frequently employed DNS attacks. An attacker inserts malicious information into a DNS resolver’s cache, redirecting users to an unscrupulous host network.

Distributed denial of service (DDoS) attacks are another popular type of DNS attacks, in which an attacker utilizes a botnet full of malware-infected computers to send large volumes of traffic directly at an intended server causing it to slow down or shut down completely.

DNS spoofing

DNS spoofing occurs when hackers attempt to deceive visitors of a website into visiting an inauthentic page instead. This poses serious problems for both website owners and their visitors as visitors could unwittingly disclose sensitive data without realizing it or even download malware onto their computers.

Attackers can exploit DNS resolver caches by injecting fake data. When someone requests an IP address of a website, this server could reply with fake responses that appear as though it came directly from its authoritative DNS server that was queried.

Hackers use this technique to redirect web traffic to malicious servers that will attempt to gain entry to visitor computers, steal passwords or credit card information or install malware without their knowledge or detection by end users. Many attacks take place over public Wi-Fi connections so as to be difficult for a regular end user to detect these attacks.

Network administrators can ward off this type of attack with cryptographic security services such as DNSSEC to ensure that responses from DNS servers are authentic and free from spoofing, while end-users can protect themselves by clearing their DNS cache regularly and not clicking links in emails, texts or social media posts from unfamiliar sources.

DNS tunneling

DNS tunneling is a technique for sending data in and out of an internal network without bypassing firewalls, used both for data exfiltration as well as providing command and control channels for malware.

As there are various methods to detect DNS tunneling, one way of doing so may be examining traffic from specific domains in large amounts; another method might involve checking for asymmetrical traffic patterns; lastly it is important to examine entropy of DNS names – authentic names tend to contain less numbers while encoded ones typically do.

The security community is actively working to strengthen its defenses against DNS tunneling. One method recommended by the IETF’s Zero Trust Guidance is DNSSEC activation on all agency endpoints; this adds cryptographic signatures to DNS queries and responses, helping verify its authenticity and ensure no tampering with data has taken place. In addition, behavioral analytics and employee training programs can detect suspicious DNS request patterns; staff can learn social engineering attacks as well as phishing techniques used by adversaries.

DNS hijacking

When entering a website’s address into your browser, you expect it to take you directly to it. But sometimes this doesn’t work out that way: instead you might end up on an advertisements-filled page or being directed towards malicious websites instead – both issues caused by DNS hijacking.

Hackers rely on security loopholes in the system to redirect users to websites they control, be it by taking over routers, hacking DNS communication or planting malware on users’ devices. Once they spoof or hijack DNS they can use attacks like pharming (directing users to fake versions of popular websites for profit) and phishing (directing users to websites with stolen login pages) – as well as more elaborate tactics.

DNSSEC helps guard against some attacks by verifying data authenticity with digital signatures and by preventing cache poisoning by verifying that DNS responses are valid and have not been altered en route. Unfortunately, however, the chain-like structure of the DNS request process leaves plenty of opportunity for attackers to manipulate information sent back to you and cached malicious responses can have far reaching ramifications on devices and users worldwide.


Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) reports that hackers have been employing DNS NXDOMAIN flood denial-of-service attacks against healthcare organizations. These denial-of-service attacks force recursive DNS servers to spend all their time handling invalid requests rather than responding to legitimate queries, rendering healthcare websites and online services inaccessible for authorized users.

An NXDOMAIN attack occurs when an attacker sends multiple requests for nonexistent domains through different recursive resolvers, forcing the DNS server to perform recursive functions and respond with NXDOMAIN responses that overload its capacity and prevent processing legitimate requests.

DNS servers find it challenging to detect this form of attack due to its ability to come from multiple sources at once and sophisticated attacks designed to pass as legitimate requests, making detection all the harder. Preventing NXDOMAIN attacks relies on having enough capacity available to deal with sudden spikes in traffic as well as being vigilant about detecting and blocking requests from potential threat sources.

Phantom domain attack

This attack resembles NXDOMAIN attacks, except instead of targeting nonexistent domain names it asks the DNS server for random subdomains instead. This causes DNS servers to waste all their resources responding to such queries which is ultimately detrimental to performance or can even result in failure altogether.

NXDOMAIN and random subdomain attacks are two examples of DNS-based denial-of-service (DoS) attacks used by cybercriminals to disrupt Internet traffic and steal user data. Other such DoS attacks include DNS flooding, spoofing, tunneling and hijacking attacks.

These attacks use DNS requests that generate fake queries in order to exfiltrate encoded data out of a targeted network and into an attacker’s hands. Once in their possession, attackers can sell or use it for fraud and other crimes. DNSSEC protects against these attacks by cryptographically verifying data sent from authoritative servers; our DNS Guardian solution also offers protection by guaranteeing secure traffic flows while simultaneously detecting tunneling attempts and malicious domains.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.