DNS SecurityDNSSECInfrastructure

DNS Security Best Practices: DNSSEC, CAA Records, and More

WebSentry Team
· · 7 min read

Why DNS Security Matters

Every time someone visits your website, the journey starts with a DNS lookup. If an attacker can tamper with that lookup, they can redirect your visitors to a phishing site, intercept sensitive data, or impersonate your domain entirely — and your users would never know the difference.

DNS was designed in the 1980s without security in mind. Modern extensions like DNSSEC and CAA records were created to patch those gaps. Here's how to use them.

DNSSEC: Authenticating DNS Responses

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. When a resolver receives a response, it can verify the signature to confirm the data hasn't been tampered with in transit.

What DNSSEC Protects Against

  • Cache poisoning — Attackers inject fake DNS records into a resolver's cache
  • Man-in-the-middle attacks — Intercepting and modifying DNS responses
  • DNS spoofing — Forging DNS responses to redirect traffic

How to Enable DNSSEC

Most DNS providers support DNSSEC with a single toggle:

  • Cloudflare: Dashboard → DNS → DNSSEC → Enable. Then add the DS record at your domain registrar.
  • AWS Route 53: Enable DNSSEC signing in the hosted zone settings, then add the DS record at your registrar.
  • Google Cloud DNS: Enable DNSSEC in the zone settings and add the DS record to your registrar.

The key step people miss: you must add the DS record at your domain registrar after enabling DNSSEC at your DNS provider. DNSSEC won't work without this chain of trust.

CAA Records: Controlling Certificate Issuance

CAA (Certificate Authority Authorization) records specify which certificate authorities are allowed to issue SSL certificates for your domain. Without CAA records, any CA in the world could issue a certificate for your domain.

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issuewild "letsencrypt.org"
example.com.  CAA  0 iodef "mailto:security@example.com"
  • issue — Which CAs can issue standard certificates
  • issuewild — Which CAs can issue wildcard certificates
  • iodef — Where to send violation reports

If you use Let's Encrypt for your certificates, your CAA records should only allow letsencrypt.org. If someone tries to get a certificate from a different CA, it will be denied.

Other DNS Security Measures

Disable Zone Transfers

Zone transfers (AXFR) allow replicating all DNS records from a server. If your nameserver allows public zone transfers, attackers can enumerate every subdomain and record in your zone. Ensure AXFR is restricted to authorized secondary nameservers only.

Use Multiple Nameservers

Having nameservers on different networks protects against DDoS attacks targeting your DNS infrastructure. Most managed DNS providers handle this automatically.

Monitor for Unauthorized Changes

Set up alerts for DNS record changes. Unauthorized modifications to your A, AAAA, MX, or NS records could indicate a domain hijacking attempt.

Check Your DNS Security

Run a WebSentry scan to check your DNS configuration. The audit covers DNSSEC status, CAA records, nameserver configuration, and other DNS security issues that could put your domain at risk.

Check Your Website's Security

Run a free security scan and get your A-F grade in seconds.

Scan Your Site Free
← Previous
X-Frame-Options vs CSP frame-ancestors: Which Should You Use?
Next →
Mixed Content Errors: How to Find and Fix Them