DNS Security Best Practices: Protect Your Domain from Hijacking & Spoofing

Why DNS Security Is Critical

DNS (Domain Name System) is the internet's phone book. It translates domain names like yoursite.com into IP addresses that computers use. If an attacker compromises your DNS, they can:

<div class="zf-stat-callout" style="background:#0d1117;border:1px solid rgba(16,185,129,0.25);border-left:3px solid #10b981;border-radius:4px;padding:16px 20px;margin:24px 0"> <p style="margin:0 0 4px;font-size:10px;font-weight:700;text-transform:uppercase;letter-spacing:0.15em;color:#10b981;font-family:monospace">ZeriFlow Data — 12,400+ sites analyzed</p> <p style="margin:0;font-size:13px;color:#e2e8f0;line-height:1.6;font-family:monospace">ZeriFlow data from 12,400+ domains: 61% have no DMARC policy, and of those with one, 79% use p=none — providing visibility but zero enforcement against email impersonation.</p> </div>

• Redirect your visitors to a fake version of your site (DNS hijacking)
• Intercept emails by modifying MX records
• Send phishing emails that appear to come from your domain (email spoofing)
• Take over your domain entirely (DNS registrar hijacking)

DNS attacks are especially dangerous because they are invisible to your visitors. They type your URL, see your brand, but they are on the attacker's server.

DNS Threat Landscape

### DNS Hijacking An attacker gains access to your DNS registrar account and changes your domain's records to point to their servers. This is often done through: - Phishing the domain owner - Exploiting weak registrar passwords - Social engineering the registrar's support team

### DNS Spoofing / Cache Poisoning An attacker injects fake DNS responses into a resolver's cache, redirecting traffic without touching your registrar account.

### Email Spoofing Without SPF, DKIM, and DMARC records, anyone can send emails that appear to come from your domain. This is used for phishing, business email compromise, and fraud.

DNS Security Checklist

1. Lock Your Domain

Enable registrar lock (also called "clientTransferProhibited") to prevent unauthorized domain transfers.

• Log into your registrar (GoDaddy, Namecheap, Cloudflare, etc.)
• Find the "Domain Lock" or "Transfer Lock" setting
• Enable it

Also enable registrar 2FA on your account. If your registrar does not support 2FA, consider switching to one that does.

2. Enable DNSSEC

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. Resolvers can verify that the DNS response has not been tampered with.

How to enable DNSSEC: 1. Check if your registrar and DNS provider support DNSSEC 2. Generate the DNSSEC keys (usually done by your DNS provider) 3. Add the DS record at your registrar 4. Verify with dig +dnssec yourdomain.com

Providers with easy DNSSEC: - Cloudflare (one-click enable) - Google Domains - AWS Route 53

3. Set Up SPF (Sender Policy Framework)

SPF tells the world which mail servers are authorized to send email for your domain.

# Add this TXT record to your DNS
@  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net ~all"

Rules: - include: — authorize a third-party sender - ~all — soft fail (mark as spam) for unauthorized senders - -all — hard fail (reject) unauthorized senders (stricter) - Never use +all (allows anyone to send as your domain)

4. Configure DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. The receiver can verify the signature using a public key published in your DNS.

# Add this TXT record (provided by your email service)
google._domainkey  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBg..."

Your email provider (Google Workspace, Microsoft 365, SendGrid) will give you the exact DKIM record to add.

5. Implement DMARC

DMARC tells email receivers what to do when emails fail SPF and DKIM checks.

Start with monitoring:

_dmarc  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com"

After reviewing reports, enforce:

_dmarc  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100"

Full enforcement:

_dmarc  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100"

DMARC policy levels: | Policy | Action | Use when | |--------|--------|----------| | p=none | Monitor only | Starting out, reviewing reports | | p=quarantine | Send to spam | Confident in SPF/DKIM setup | | p=reject | Block entirely | Fully configured, no issues in reports |

6. Minimize Your DNS Exposure

• Remove unused DNS records (old A records, stale CNAMEs)
• Avoid wildcard DNS (*.yourdomain.com) unless necessary
• Use separate subdomains for different services rather than exposing your root
• Hide internal hostnames — do not create DNS records for internal services

7. Use a Reputable DNS Provider

Your DNS provider should offer: - Anycast network (faster resolution, DDoS resilience) - DNSSEC support - API access for automation - Audit logs for DNS changes - [Two-factor authentication](https://zeriflow.com/blog/two-factor-authentication-setup-guide)

Recommended: Cloudflare (free), AWS Route 53, Google Cloud DNS

8. Monitor DNS Changes

Set up alerts for any changes to your DNS records: - Use a DNS monitoring service - Check your registrar's notification settings - Review DNS records monthly

Verify Your DNS Security

Run a ZeriFlow scan to check your DNS and email security configuration. The scan evaluates your SPF, DKIM, DMARC records and DNS settings as part of a comprehensive 80+ point security assessment.

Conclusion

DNS security is the foundation that everything else builds on. If an attacker controls your DNS, HTTPS, check your security headers, and firewalls become meaningless. Lock your domain, enable DNSSEC, configure SPF/DKIM/DMARC, and monitor for changes. These steps take an afternoon and protect you indefinitely.

Further Reading

• RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)
• NIST — Domain Name System Security (DNSSEC)

<!-- zf-internal-links -->