DEV Community

丁久
丁久

Posted on • Originally published at dingjiu1989-hue.github.io

DNS Security

#devops #security #cloud

This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

DNS Security

DNS Security

DNS Security

DNS Security

DNS Security

DNS Security

DNS Security

DNS Security

DNS Security

DNS Security

DNS Security

Introduction

The Domain Name System (DNS) is a foundational internet protocol that translates human-readable domain names to IP addresses. Despite its critical role, DNS was designed without security considerations, making it a prime target for attacks including cache poisoning, tunneling, and DDoS amplification.

DNSSEC

DNS Security Extensions (DNSSEC) adds cryptographic signatures to DNS records, ensuring authenticity and integrity. It protects against cache poisoning attacks where an attacker injects forged DNS responses.

DNSSEC uses a chain of trust starting from the DNS root zone. Each zone signs its records with a private key, and resolvers verify signatures using corresponding public keys stored as DNSKEY records.

Checking DNSSEC validation with dig

dig +dnssec example.com

Verify DNSSEC chain

delv example.com

Check if a domain is DNSSEC-signed

dig example.com DNSKEY

Key DNSSEC record types:

  • RRSIG: Resource Record Signature — cryptographic signature for a record set

  • DNSKEY: Public key used for signature verification

  • DS: Delegation Signer — hash of the child zone's DNSKEY, stored in the parent zone

  • NSEC/NSEC3: Next Secure — provides authenticated denial of existence

BIND DNSSEC configuration example

zone "example.com" {

type master;

file "/etc/bind/db.example.com";

auto-dnssec maintain;

inline-signing yes;

key-directory "/etc/bind/keys";

};

DNS over HTTPS and DNS over TLS

Traditional DNS queries are sent in cleartext over UDP, making them visible to network observers and susceptible to manipulation. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt queries.

  • DoT (RFC 7858): DNS over a dedicated TLS connection on port 853

  • DoH (RFC 8484): DNS over HTTP/2 or HTTP/3 on port 443, blending with HTTPS traffic

Nginx DoH proxy configuration

location /dns-query {

proxy_pass http://127.0.0.1:8053;

proxy_set_header Host $host;

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.

Top comments (0)