DNS Security 2026

DNSSEC, DoH.

Overview

DNS security in 2026 is a layered problem: DNSSEC for response authenticity, DoH/DoT for query confidentiality, CAA records for certificate-issuance constraints, registrar lock for account-level protection, and monitoring across CT logs and DNS queries to catch anything the controls miss. No single control is sufficient; together they make domain takeover materially harder.

• DNSSEC. Cryptographically signed records. Resolvers can verify responses came from the authoritative server.
• DoH and DoT. Encrypted DNS queries. Eavesdroppers cannot see what is being resolved.
• CAA records. Restrict which certificate authorities can issue for the domain. Cuts unauthorised issuance attacks.
• Registrar lock plus monitoring. Prevents unauthorised registrar changes; CT log and DNS query monitoring catches the things controls miss.

The approach

Five layers form the modern DNS-security baseline. Configure them once and tighten over the year as evidence accumulates.

• DNSSEC on authoritative zones. Sign the zone. Modern resolvers will validate; the cost of running unsigned in 2026 is mounting.
• DoH on internal resolvers. Internal DNS encrypted. Reduces lateral-movement reconnaissance.
• CAA records pinning authorised CAs. Only the CAs the team actually uses. Cuts the unauthorised-issuance threat.
• Registrar lock plus CT log monitoring. Lock against unauthorised registrar changes; CT monitoring catches certificates issued without intent.

Why this compounds

Each year of operation tightens the posture. The team’s domain hygiene improves; new domains inherit the conventions; the discipline matures into a baseline that auditors and enterprise customers expect to see.

• Takeover risk drops. Registrar lock plus CAA shrinks the hijack opportunity surface materially.
• Detection improves. CT monitoring plus DNS monitoring catches anomalies before they become incidents.
• Compliance posture improves. DNSSEC and DoH satisfy modern enterprise security requirements.
• Year-one investment, year-two habit. First year sets up the layers. Subsequent years tighten them; the discipline matures.