DNS Security
Practices and technologies for protecting DNS infrastructure and leveraging DNS data for threat detection, including DNSSEC, DNS filtering, and DNS-based authentication protocols.
Definition
DNS security encompasses both the protection of DNS infrastructure itself and the use of DNS data as a threat detection layer. On the protective side, DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records to prevent tampering and cache poisoning. DNS filtering blocks resolution of known-malicious domains at the resolver level, preventing connections before they reach the endpoint. On the authentication side, SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) use DNS TXT records to authenticate email senders and instruct receivers how to handle authentication failures.
Why It Matters
DNS is one of the most abused protocols in attacker toolkits. It is used for C2 communication via DNS tunneling, domain generation algorithms (DGAs), fast-flux infrastructure to evade blocklists, and lookalike domain registration for phishing. Simultaneously, misconfigured SPF, DKIM, and DMARC records are a leading enabler of business email compromise (BEC) and phishing — attackers spoof legitimate domains precisely because email authentication is absent or misconfigured. DNS-layer visibility gives defenders a high-fidelity, low-noise detection plane: malicious DNS queries are often the earliest observable signal in an attack chain.
How It Works
DNSSEC works by having zone operators sign DNS records with a private key; resolvers validate signatures using a published public key, forming a chain of trust from the root zone down. DNS filtering operates at the recursive resolver level — queries for blocked domains return NXDOMAIN or a sinkhole IP rather than the real answer, preventing connection. SPF publishes authorized sending IP ranges in a DNS TXT record; receiving mail servers check whether the sending IP is listed. DKIM attaches a cryptographic signature to email headers; receivers fetch the public key from DNS to validate the signature. DMARC builds on SPF and DKIM, specifying policy (none, quarantine, reject) for messages that fail authentication and providing aggregate reporting back to the domain owner.
DFIR Platform
DFIR Lab Domain Lookup tool
The DFIR Lab Domain Lookup tool at dfir-lab.ch/domain-lookup provides full DNS record analysis across record types (A, AAAA, MX, TXT, NS, CNAME, SOA) and dedicated email security checks covering SPF, DKIM, and DMARC configuration. The Phishing Email Checker validates DNS-based email authentication as part of phishing analysis
View DocumentationRelated Concepts
Try these concepts in practice
Free tier with 100 credits/month. No credit card needed.