Security Guide

DNS Security Best Practices: DNSSEC, CAA Records & Zone Hardening

Q: What is DNSSEC and why do I need it?

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses have not been tampered with. Without DNSSEC, attackers can perform DNS cache poisoning to redirect your visitors to malicious sites. DNSSEC is required by many compliance frameworks and is supported by all major registrars.

Q: How do I prevent DNS zone transfers?

Zone transfers (AXFR) allow replication of all DNS records from a primary to secondary nameserver. If unrestricted, attackers can download your entire DNS zone, revealing internal hostnames, IP addresses, and infrastructure details. Restrict zone transfers to authorized secondary nameservers only using allow-transfer directives in BIND or equivalent settings in your DNS provider.

Q: How do I check my DNS security?

Use AI QA Monkey free DNS/SPF/DMARC Checker to analyze your DNS records, check for DNSSEC, validate CAA records, and detect misconfigurations. You can also use dig +dnssec yourdomain.com to check DNSSEC status manually.

Published Feb 20, 2026 14 min read By AI QA Monkey Security Team

Table of Contents

Why DNS Security Matters
Common DNS Threats
DNSSEC: Authenticate DNS Responses
CAA Records: Control Certificate Issuance
Zone Transfer Protection
Nameserver Hardening
DNS Monitoring
Security Checklist
FAQ

DNS is the foundation of the internet — every website visit, email delivery, and API call starts with a DNS lookup. Yet DNS is one of the most overlooked attack surfaces. A compromised DNS record can redirect all your traffic to an attacker's server without touching your actual infrastructure.

In our analysis of domains scanned with AI QA Monkey, 78% lacked DNSSEC, 65% had no CAA records, and 12% had misconfigured nameserver delegations.

Why DNS Security Matters

DNS hijacking — attackers change your DNS records to redirect traffic to malicious servers
DNS cache poisoning — forged DNS responses are injected into resolver caches
Subdomain takeover — dangling CNAME records pointing to unclaimed cloud services
Certificate fraud — unauthorized CAs issuing certificates for your domain
Zone enumeration — attackers map your entire infrastructure via unrestricted zone transfers

Common DNS Threats

DNS Cache Poisoning

An attacker sends forged DNS responses to a resolver, causing it to cache incorrect records. All users of that resolver are then directed to the attacker's server. DNSSEC is the primary defense.

DNS Hijacking

Attackers gain access to your domain registrar account (via phishing or credential stuffing) and modify your nameserver records. Defenses include registrar lock, 2FA, and monitoring.

Subdomain Takeover

When a CNAME record points to a cloud service (e.g., app.yourdomain.com → yourapp.herokuapp.com) and the cloud resource is deleted, an attacker can claim that resource and serve content on your subdomain.

DNSSEC: Authenticate DNS Responses CRITICAL

DNSSEC adds digital signatures to DNS records. Resolvers verify these signatures to ensure responses haven't been tampered with.

How DNSSEC Works

Your DNS provider signs your zone records with a private key
The public key (DNSKEY) is published in DNS
A DS (Delegation Signer) record is added at the parent zone (registrar)
Resolvers verify the chain of trust from root → TLD → your domain

Enable DNSSEC

# Check if DNSSEC is enabled
dig +dnssec yourdomain.com

# Look for RRSIG records in the response
# If present, DNSSEC is active

# Verify the chain of trust
dig +sigchase +trusted-key=/etc/trusted-key.key yourdomain.com A

# Most registrars have a one-click DNSSEC enable:
# - Cloudflare: Dashboard > DNS > DNSSEC > Enable
# - GoDaddy: Domain Settings > DNSSEC > Add DS Record
# - Namecheap: Domain List > Advanced DNS > DNSSEC

DNSSEC with Cloudflare

If you use Cloudflare as your DNS provider, enabling DNSSEC is one click. Cloudflare automatically manages key rotation and signing. Go to DNS → DNSSEC → Enable DNSSEC, then add the DS record at your registrar.

CAA Records: Control Certificate Issuance HIGH

CAA (Certificate Authority Authorization) records specify which CAs can issue certificates for your domain. Without CAA, any of the 100+ public CAs can issue a certificate.

# Allow only Let's Encrypt to issue certificates
yourdomain.com.  IN  CAA  0 issue "letsencrypt.org"

# Allow Let's Encrypt and DigiCert
yourdomain.com.  IN  CAA  0 issue "letsencrypt.org"
yourdomain.com.  IN  CAA  0 issue "digicert.com"

# Allow wildcard certificates only from specific CA
yourdomain.com.  IN  CAA  0 issuewild "letsencrypt.org"

# Send violation reports to your email
yourdomain.com.  IN  CAA  0 iodef "mailto:security@yourdomain.com"

# Verify CAA records
dig CAA yourdomain.com

Zone Transfer Protection HIGH

Zone transfers (AXFR) replicate all DNS records from primary to secondary nameservers. If unrestricted, attackers can download your entire zone.

# Test if zone transfers are open (should fail)
dig axfr yourdomain.com @ns1.yourdomain.com

# BIND: Restrict zone transfers to specific IPs
# In named.conf:
zone "yourdomain.com" {
    type master;
    file "/etc/bind/zones/yourdomain.com.zone";
    allow-transfer { 198.51.100.10; 198.51.100.11; };  # Secondary NS only
    also-notify { 198.51.100.10; 198.51.100.11; };
};

# Global restriction (deny all by default)
options {
    allow-transfer { none; };
};

Nameserver Hardening

Use at least 2 nameservers on different networks for redundancy
Enable registrar lock — prevents unauthorized domain transfers
Enable 2FA on registrar account — the #1 defense against DNS hijacking
Hide BIND version — version "not disclosed"; in named.conf
Disable recursion on authoritative servers — recursion no;
Rate limit DNS responses — prevents DNS amplification attacks

# BIND hardening in named.conf options
options {
    version "not disclosed";
    recursion no;              # Authoritative only
    allow-transfer { none; };  # No zone transfers
    rate-limit {
        responses-per-second 10;
        window 5;
    };
};

DNS Monitoring

Certificate Transparency logs — monitor crt.sh for unauthorized certificates issued for your domain
DNS record change alerts — use monitoring tools to detect unexpected record changes
Subdomain enumeration — regularly audit subdomains for dangling CNAMEs
DMARC reports — monitor for unauthorized email senders (see our Email Spoofing Prevention guide)

Security Checklist

☐ Enable DNSSEC at your DNS provider and registrar
☐ Add CAA records limiting certificate issuance
☐ Restrict zone transfers to authorized secondaries only
☐ Enable registrar lock and 2FA
☐ Configure SPF, DKIM, and DMARC records
☐ Audit subdomains for dangling CNAMEs
☐ Monitor Certificate Transparency logs
☐ Disable recursion on authoritative nameservers
☐ Hide DNS server version information
☐ Run regular DNS security scans with AI QA Monkey

Check Your DNS Security

Free scan — validate DNSSEC, CAA records, SPF/DKIM/DMARC, and detect DNS misconfigurations.

Check DNS Security Now

Frequently Asked Questions

What is DNSSEC and why do I need it?

DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify responses haven't been tampered with. Without it, attackers can perform cache poisoning to redirect your visitors.

What are CAA records?

CAA records specify which certificate authorities can issue SSL/TLS certificates for your domain, preventing unauthorized certificate issuance.

How do I prevent DNS zone transfers?

Restrict zone transfers to authorized secondary nameservers only using allow-transfer directives in your DNS server configuration.

How do I check my DNS security?

Use AI QA Monkey's free DNS/SPF/DMARC Checker to analyze your DNS records and detect misconfigurations.

Check Your Website Right Now

Run a free automated security scan — 75 checks in 60 seconds. No signup required.

Run Free Security Scan →