Security

DNS Security Basics: From DNSSEC to DoH

Feb 7, 2026 · 10 min read · dnslab.dev

Why DNS Security Matters

DNS was designed in 1983 for a trusted academic network. It has no built-in authentication, encryption, or integrity verification. When your browser asks “where is example.com?”, it has no way to verify that the answer actually came from an authoritative source. This fundamental gap enables entire categories of attacks.

Cache poisoning lets an attacker inject false records into a resolver’s cache, redirecting all users of that resolver to a malicious server. On-path attacks intercept DNS queries in transit and return forged responses. DNS hijacking at the ISP level can redirect entire populations to surveillance or censorship infrastructure.

The good news: the DNS security ecosystem has matured significantly. DNSSEC, DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and operational best practices can address most of these threats.

DNSSEC: Authentication, Not Encryption

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. It solves one specific problem: proving that a DNS response is authentic and hasn’t been modified in transit.

The mechanism works through a chain of trust:

The root zone is signed with a well-known key (trust anchor) embedded in every validating resolver.
Each TLD zone (like .com, .org) has a DS (Delegation Signer) record in the root, linking the root’s signature to the TLD’s own keys.
Each domain has a DS record in its TLD zone, linking upward to the TLD’s signature.

When a resolver receives a signed response, it validates the RRSIG (signature) against the DNSKEY, then walks up the chain through DS records until it reaches the root. If any link fails, the response is rejected.

You can check any domain’s DNSSEC status using the DNSSEC Validator, which traces the real chain of trust from root to domain using Google’s DNS-over-HTTPS API.

What DNSSEC Doesn’t Do

DNSSEC authenticates but does not encrypt. An observer can still see what domains you’re querying — they just can’t forge the responses. This is why DNSSEC and encrypted DNS (DoH/DoT) are complementary, not competing, technologies.

DNS-over-HTTPS and DNS-over-TLS

While DNSSEC protects the content of DNS responses, DoH and DoT protect the query itself from observation. Traditional DNS sends queries in plaintext over UDP port 53 — visible to anyone on the network path.

DNS-over-TLS (DoT) wraps DNS queries in a TLS connection on port 853. Simple, effective, but easily identifiable and blockable since it uses a dedicated port.

DNS-over-HTTPS (DoH) sends DNS queries inside standard HTTPS connections on port 443. From a network perspective, DoH traffic is indistinguishable from regular web browsing, making it nearly impossible to selectively block.

The trade-off: encrypted DNS improves user privacy but reduces visibility for network operators who rely on DNS logging for security monitoring. The industry is converging on solutions like DDR (Discovery of Designated Resolvers) that let clients discover local encrypted resolvers, balancing privacy with operational needs.

Practical Steps for Domain Owners

1. Enable DNSSEC

Most managed DNS providers (Cloudflare, Route 53, Google Cloud DNS) make DNSSEC a one-click configuration. The provider generates and manages the keys; you add the DS record to your registrar. Use the DNS Health Check to verify your DNSSEC status alongside other security checks.

2. Set Up Email Authentication

DNS-based email authentication prevents others from sending email as your domain:

SPF declares which servers can send email for your domain
DKIM adds cryptographic signatures to outgoing messages
DMARC tells receiving servers what to do with messages that fail SPF or DKIM

The Health Check tool analyzes all three for any domain.

3. Add CAA Records

CAA (Certificate Authority Authorization) records specify which CAs can issue TLS certificates for your domain. Without CAA, any CA can issue — a risk if a CA is compromised or tricked. Adding a CAA record takes under a minute and provides meaningful defense-in-depth.

4. Monitor Your DNS

Regular monitoring catches misconfigurations, unauthorized changes, and expiring DNSSEC signatures before they cause outages. The Health Check provides a comprehensive snapshot; for ongoing monitoring, consider tools that alert on configuration drift.

The Threat Landscape

Threat	Mitigation
Cache poisoning	DNSSEC
Query eavesdropping	DoH / DoT
On-path attacks	DNSSEC + encrypted DNS
Unauthorized certificates	CAA records
Email spoofing	SPF + DKIM + DMARC
DNS hijacking	DNSSEC + registry lock

No single technology addresses all DNS threats. Defense in depth — combining DNSSEC, encrypted transport, email authentication, and monitoring — is the practical approach.