DNS Security

DNS security protects the Domain Name System against manipulation, poisoning and abuse. Because DNS is the foundation of all internet communication, protecting DNS infrastructure is essential for preventing phishing, malware distribution and data theft.

Back to Dictionary

What is DNS security?

The Domain Name System (DNS) translates domain names such as "dotlegal.com" into IP addresses. It is the internet’s telephone directory. Nearly all communication on the internet begins with a DNS lookup, making DNS an attractive target for attackers.

DNS security encompasses the technologies and processes that protect DNS infrastructure against attacks and abuse. It is about ensuring that DNS responses are genuine (integrity), that DNS queries are confidential (privacy), and that DNS servers are available (availability).

DNS security is closely connected to network segmentation, firewalls and web filtering. Together they form the perimeter security that protects the organisation’s network traffic.

DNS threats

DNS is exposed to several types of attack:

DNS cache poisoning: The attacker inserts false DNS records into a resolver’s cache. Users are sent to a malicious server that can harvest login credentials or distribute malware.
DNS spoofing: The attacker forges DNS responses to redirect traffic. Often used for phishing attacks where victims believe they are visiting a legitimate site.
DNS tunnelling: Attackers use the DNS protocol to exfiltrate data or establish command-and-control channels. Because DNS traffic is rarely blocked, it is an effective method for circumventing DLP and firewalls.
DDoS against DNS: Overload attacks against DNS servers that render the organisation’s services unavailable.
Domain hijacking: The attacker takes control of the domain registration and modifies DNS records.

Use threat intelligence to keep track of new DNS-based threats and update defences continuously.

Protection methods

Multiple layers of DNS protection exist:

DNSSEC: Adds cryptographic signatures to DNS responses so the client can verify that the response is genuine and has not been tampered with in transit.
DNS over HTTPS (DoH) / DNS over TLS (DoT): Encrypts DNS queries so third parties cannot see which domains you are looking up. Protects user privacy.
DNS filtering: Blocks queries to known malicious domains. DNS-based security services continuously update blocklists with phishing sites, malware domains and botnets.
DNS logging and monitoring: Log all DNS queries and analyse them with SIEM systems to detect abnormal patterns such as DNS tunnelling.
Redundant DNS servers: Use multiple DNS servers spread geographically to ensure availability during DDoS attacks.

Combine DNS security with endpoint security and zero trust principles for a strong defence in depth.

Regulations and standards

NIS2 imposes requirements on network security for essential and important entities, and DNS infrastructure is specifically mentioned. DNS providers are covered by NIS2 as important entities.

ISO 27001 and Annex A include controls for network security (A.8.20–A.8.22), covering DNS protection. An ISMS should address DNS as a critical infrastructure component.

CIS 18 recommends DNS filtering in Control 9 (protection of email and web browsers). DORA requires financial institutions’ ICT systems to be resilient, which includes DNS infrastructure.

Under GDPR, compromised DNS can cause personal data to be sent to the wrong servers, constituting a breach of technical measures.

Frequently Asked Questions about DNS Security

What is DNS cache poisoning?

DNS cache poisoning is an attack in which an attacker inserts false DNS records into a DNS server’s cache. Users querying the poisoned domain are sent to a fake server. DNSSEC protects against this by cryptographically signing DNS responses.

What is the difference between DNSSEC and DNS over HTTPS?

DNSSEC ensures the integrity of DNS responses by adding cryptographic signatures, so you know the response is genuine. DNS over HTTPS (DoH) encrypts the DNS query itself, so third parties cannot see which domains you visit. They solve different problems and can be used together.

How can DNS be used for security filtering?

DNS filtering blocks queries to known malicious domains, phishing sites and malware servers. It is an effective first line of defence because almost all internet communication begins with a DNS lookup.