DNS Poisoning Defense
DNSSEC and best practices.
Overview
DNS poisoning attacks can hijack traffic by injecting false records into resolver caches. Defence is layered: cryptographic signing on the authoritative side, encrypted queries on the client side, and resolver-level mitigations against cache-poisoning techniques.
- DNSSEC for authoritative zones. Cryptographic signing of DNS responses. Resolvers that validate reject forged records.
- DNS over HTTPS or TLS. Encrypted query path between client and resolver. Eavesdroppers and on-path injectors lose the channel.
- Source port randomisation. Modern resolvers randomise source ports per query. Birthday-attack poisoning gets significantly harder.
- 0x20 encoding. Case-randomised query labels add another bit of entropy per query. Cheap additional protection.
The approach
Three habits keep DNS poisoning defence operationally sound: sign authoritative zones with DNSSEC, push clients to DoH, and monitor for response anomalies as a standing signal.
- DNSSEC on authoritative zones. Sign every zone the team controls. Validating resolvers reject tampered responses.
- DoH for clients. Encrypted query path through Cloudflare 1.1.1.1, Quad9, or a self-hosted DoH endpoint.
- Monitor anomalies. Per-resolver response monitoring. NXDOMAIN spikes, TTL anomalies, and unexpected RRSIG failures all surface here.
- Per-zone validation plus documented policy. Each zone’s DNSSEC posture documented; the policy lives in the security review.
Why this compounds
Each protected zone reduces hijack risk for the lifetime of the zone. DNSSEC signatures travel with the zone; clients that validate get the protection automatically.
- DNS integrity. DNSSEC reduces hijack risk to near zero for validating resolvers.
- Client privacy. DoH encrypts queries. ISP-level DNS surveillance loses the visibility.
- Faster incident response. Anomaly monitoring catches active attacks within minutes rather than days.
- Year-one investment, year-two habit. The first DNSSEC rollout is heavy lift. Subsequent zones reuse the keys and tooling.