DNS Security Best Practices

Your domain's DNS is the foundation of your online presence. If an attacker compromises your DNS, they control where your traffic goes, who receives your email, and whether your services are reachable at all. DNS security is not a single technology but a layered strategy that covers everything from your registrar account to your record configuration. This guide provides a comprehensive checklist for securing your DNS infrastructure.

The DNS Threat Landscape

Before diving into defenses, it helps to understand what you are defending against:

DNS hijacking

Attackers gain access to your registrar or DNS provider account and modify records to redirect traffic to malicious servers.

Cache poisoning

Forged DNS responses are injected into resolver caches, causing users to be directed to attacker-controlled servers without modifying your actual records.

DDoS attacks on DNS

Volumetric attacks overwhelm your authoritative name servers, making your domain unresolvable.

Domain shadowing

Attackers compromise a registrar account and create subdomains under your domain for phishing or malware distribution without modifying existing records.

BGP hijacking of DNS

Attackers manipulate internet routing to intercept DNS traffic destined for your name servers.

Registrar Security

Your domain registrar is the single most critical access point for your DNS security. If an attacker compromises your registrar account, they can redirect your entire domain.

Enable Two-Factor Authentication (2FA)

Every registrar account should have 2FA enabled. Prefer hardware security keys (FIDO2/WebAuthn) over SMS-based 2FA, which is vulnerable to SIM swapping attacks. At minimum, use TOTP (authenticator app) based 2FA.

Enable Registrar Lock

Most registrars offer a domain lock feature (also called transfer lock or clientTransferProhibited). This prevents unauthorized domain transfers. Some registrars offer enhanced locking:

Lock Type	Protection Level	How It Works
Transfer lock	Basic	Prevents domain transfer to another registrar
Registrar lock	Standard	Prevents unauthorized changes to DNS delegation
Registry lock	Premium	Requires manual verification by registry staff for any changes

Registry lock for critical domains

For your most important domains, consider registry lock (sometimes called premium DNS protection). This adds a manual verification step at the registry level, meaning even a compromised registrar account cannot modify your domain without additional out-of-band verification. Major registrars like Cloudflare, Markmonitor, and CSC offer this service.

Keep Contact Information Current

Your registrar contact information is used for important notifications: expiration warnings, transfer approvals, and security alerts. Outdated contact information means you might miss critical warnings. Use a team email address rather than a personal one so that alerts reach the right people even when individuals leave the organization.

Use a Reputable Registrar

Not all registrars are equal in security posture. Choose a registrar that offers:

Mandatory 2FA support
Registry lock options
Audit logs for account activity
API access with separate API keys (not your main account credentials)
Responsive security incident handling

DNSSEC (DNS Security Extensions)

DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that responses are authentic and have not been tampered with in transit.

How DNSSEC Protects You

Without DNSSEC, a resolver has no way to verify that a DNS response actually came from the authoritative server. DNSSEC creates a chain of trust from the root zone down to your individual records, using digital signatures that resolvers can validate.

Implementing DNSSEC

Check provider support

Verify that your DNS hosting provider supports DNSSEC. Most major providers (Cloudflare, Route 53, Google Cloud DNS, NS1) do.

Enable DNSSEC at your DNS provider

Generate or enable DNSSEC signing for your zone. Your provider will create the necessary DNSKEY, RRSIG, and DS records.

Add the DS record at your registrar

Copy the DS (Delegation Signer) record from your DNS provider and add it at your registrar. This links your zone's DNSSEC chain to the parent zone.

Validate the configuration

Use tools like DNSViz or Verisign's DNSSEC analyzer to verify the full chain of trust is working correctly.

Monitor DNSSEC health

DNSSEC adds operational complexity. Signature expiration, key rollovers, and DS record mismatches can cause SERVFAIL errors. Continuous monitoring is essential.

DNSSEC operational risk

A misconfigured DNSSEC deployment is worse than no DNSSEC at all. If signatures expire or the chain of trust breaks, validating resolvers will return SERVFAIL for your entire domain. Monitor your DNSSEC status continuously and have a plan for emergency disablement if needed.

CAA Records

Certificate Authority Authorization (CAA) records specify which Certificate Authorities are permitted to issue TLS certificates for your domain. Without CAA records, any CA can issue a certificate for your domain.

Monitor your DNS security posture

DNS Monitor checks your DNSSEC status, CAA records, and security configuration continuously.

Recommended CAA Configuration

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issuewild "letsencrypt.org"
example.com.  IN  CAA  0 iodef "mailto:security@example.com"

Restrict the issue and issuewild tags to only the CAs you actually use. Add an iodef tag to receive reports when a CA denies a certificate request based on your CAA policy.

Email Authentication Records

Email is one of the most abused attack vectors, and DNS plays a central role in email security. Three DNS-based standards work together to protect your domain from email spoofing.

SPF (Sender Policy Framework)

SPF specifies which servers are authorized to send email on behalf of your domain. Published as a TXT record:

example.com.  IN  TXT  "v=spf1 include:_spf.google.com -all"

Use -all (hard fail) rather than ~all (soft fail) to explicitly reject unauthorized senders. Keep your SPF record concise to stay within the 10 DNS lookup limit.

DKIM (DomainKeys Identified Mail)

DKIM uses cryptographic signatures to verify that email content has not been altered in transit. The public key is published in DNS:

selector._domainkey.example.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0..."

Ensure your email provider generates and rotates DKIM keys regularly. Use 2048-bit keys at minimum.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do with messages that fail authentication:

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

Start with p=none to monitor, then progress to p=quarantine and ultimately p=reject as you verify your legitimate email sources are properly authenticated.

Zone Transfer Restrictions

DNS zone transfers (AXFR) replicate the entire contents of a zone between servers. If zone transfers are unrestricted, anyone can download a complete list of all your DNS records, revealing your infrastructure.

Best Practices

Restrict AXFR to only your secondary name servers using IP-based access controls
Use TSIG (Transaction Signature) authentication for zone transfers
Monitor for unauthorized zone transfer attempts in server logs
Consider using DNS providers that handle replication internally without exposing AXFR

Monitoring for Unauthorized Changes

No security measure is complete without monitoring. DNS changes can happen through compromised accounts, provider issues, or misconfigurations. You need to know immediately when any record changes unexpectedly.

What to Monitor

Record values

Watch for changes to A, AAAA, CNAME, MX, NS, and TXT records that could redirect traffic or email.

NS delegation

Monitor your nameserver records at the registrar level. An NS change redirects your entire zone.

DNSSEC status

Watch for DS record changes, signature expirations, and chain-of-trust breaks.

New subdomains

Detect unauthorized subdomain creation that could indicate domain shadowing attacks.

CAA records

Ensure your CAA configuration is not weakened or removed.

SPF/DKIM/DMARC

Monitor email authentication records for unauthorized modifications.

DNS Provider Security

Your DNS hosting provider's security directly affects yours. Evaluate providers on:

Access controls: Does the provider support role-based access, 2FA, and API key management?
Audit logging: Can you see who made what changes and when?
DDoS protection: Does the provider have the infrastructure to withstand volumetric attacks?
Anycast network: A globally distributed network is more resilient to localized outages and attacks.
Change notifications: Does the provider notify you when records are modified?

Security Checklist

Use this checklist to assess your current DNS security posture:

Security Measure	Priority	Status
2FA on registrar account	Critical	Check your registrar settings
Domain transfer lock enabled	Critical	Check your registrar settings
DNSSEC enabled and healthy	High	Verify with DNSViz
CAA records configured	High	Check with dig or DNS lookup
SPF record with -all	High	Check TXT records
DKIM configured for all senders	High	Verify with email testing tools
DMARC at p=reject	Medium	Check _dmarc TXT record
Zone transfers restricted	Medium	Test with dig AXFR
Registry lock for critical domains	Medium	Contact your registrar
DNS change monitoring active	High	Set up automated monitoring
Contact information current	Medium	Review registrar WHOIS data

Building a Security Culture

DNS security is not a one-time project. It requires ongoing attention:

Regular audits: Review your DNS records quarterly. Remove stale records, verify delegations, and check security configurations.
Access reviews: Periodically review who has access to your registrar and DNS provider accounts. Remove access for people who have left the team.
Incident response planning: Document what you will do if you detect unauthorized DNS changes. Who do you call? What is the escalation path? How do you communicate with users during an incident?
Stay informed: Follow DNS security advisories and update your server software. New vulnerabilities are discovered regularly.

DNS security is a continuous process, not a destination. The combination of strong account security, DNSSEC, proper record configuration, and active monitoring creates a defense-in-depth posture that significantly reduces your risk.

Secure your DNS with continuous monitoring

DNS Monitor watches your records, DNSSEC status, and nameserver configuration around the clock, alerting you to any unauthorized changes.