DNS Layer Security — Before the Request Reaches Your Server
IntroductionDev EnvironmentClientTransportServerAppDataMore

DNS Layer Security — Before the Request Reaches Your Server

Layer 2 in the HTTP Request Journey

You type an address in the browser. You hit Enter. And before any of your code runs — before HTTPS establishes a connection, before the API Gateway sees the request — the network has to find where your server actually is. It does this through DNS.

The Domain Name System is the global, distributed phone book of the internet. It translates vibedefend.com into 104.21.45.123. Without it, the request doesn't know where to go. And that's exactly why DNS is such an attractive target for attackers — whoever controls the translation of a domain to an IP controls where user traffic ends up.

Honestly, DNS security is one of those topics that's easy to dismiss. "That's infrastructure, not my application." Wrong. If someone takes control of your DNS, they can redirect all traffic to a fake server — and no SSL certificate, no firewall, no application-side validation will help you. The user sees the familiar URL and types their password straight into the attacker's hands.

How DNS Works — The Minimum You Need to Know

When a browser wants to visit api.vibedefend.com, a chain of queries kicks off:

  1. Local cache — does the browser or OS already know this address?
  2. ISP or public resolver (e.g. Google's 8.8.8.8, Cloudflare's 1.1.1.1) — a query to the DNS server configured on the device
  3. Root nameserversTLD nameservers (for .com) → the authoritative nameserver for your domain

The result — an IP address — is then cached for a time determined by the TTL (Time To Live) value. And that cache is the source of one of the most dangerous DNS attacks.

DNS Cache Poisoning — A Fake Map

DNS cache poisoning involves injecting a fraudulent response into a DNS resolver's cache. If successful, all users relying on that resolver get directed to a fake server — instead of yours.

The classic scenario: an attacker sends thousands of forged responses to a resolver, betting they'll hit the correct Transaction ID before the real answer arrives from the authoritative server. It's a race condition — and for many years it was effective, because classic DNS has no mechanism for verifying the authenticity of a response.

The famous DNS vulnerability discovered by Dan Kaminsky in 2008 showed the scale of the problem and forced rapid patches across the entire industry.

DNS Hijacking — Taking Control

Hijacking is different from poisoning. Here the attacker doesn't manipulate the cache — they take control of the name resolution process itself. This can happen in several ways:

  • Taking over a registrar account — if your account at Namecheap, GoDaddy, or Cloudflare has a weak password or no 2FA, an attacker can change the domain's nameservers to their own
  • Attacking the home router — changing DNS in a user's router settings directs them to a fake resolver (more of an end-user problem, but worth understanding the vector)
  • Compromising the registrar itself — rare, but it has happened

The effect is the same: the user types the correct address but ends up somewhere they didn't intend to go.

Subdomain Takeover — An Abandoned Subdomain as an Attack Vector

This attack is surprisingly common and frequently overlooked. Here's how it works:

  1. Your company configures a subdomain staging.vibedefend.com pointing to an external service — say, a Heroku app, GitHub Pages, or an AWS S3 bucket
  2. Over time you stop using that service, delete the Heroku app, but... forget to remove the DNS entry
  3. DNS still points to Heroku, and that address is now "free"
  4. An attacker registers an app on Heroku under that same address and takes over the subdomain

Now staging.vibedefend.com is under the attacker's control. They can host phishing pages, serve malware, collect cookies under the .vibedefend.com domain (if you're not using HttpOnly).

Microsoft, Uber, Shopify, GitHub — practically every major company has had this problem. Research shows that subdomain takeover affects as many as 15% of organizations studied.

How to check if you have this problem:

# Check whether DNS points to an external service that isn't responding
dig staging.yourdomain.com
# If the CNAME points to e.g. *.herokudns.com and you get a 404 from Heroku
# — you have a potential problem

Regular DNS record audits aren't optional. Automate it — tools like subjack do it for you.

DNSSEC — Digital Signatures for DNS

DNSSEC (DNS Security Extensions) is a DNS protocol extension that adds cryptographic signatures to records. A resolver can verify that a response genuinely came from the authoritative server and wasn't modified along the way.

It solves the cache poisoning problem — a forged response won't pass signature verification. It doesn't protect against registrar account takeover or subdomain takeover, though.

Enabling DNSSEC depends on your domain registrar and DNS hosting provider. Most major players (Cloudflare, Route53, Google Domains) offer DNSSEC as an option — often a single toggle. If you're running an application with sensitive data, it's worth doing.

How to check if a domain has DNSSEC:

dig +dnssec vibedefend.com
# Look for the 'ad' (Authenticated Data) flag in the response

You can also use the DNSSEC Analyzer from Verisign.

CAA Records — Who Can Issue Certificates for Your Domain

Certification Authority Authorization (CAA) is a DNS record that specifies which certificate authorities (CAs) are authorized to issue SSL certificates for your domain. Without CAA — any CA in the world can technically issue a certificate for vibedefend.com.

This has happened. In 2017, Symantec issued certificates for Google domains without authorization. Had Google had a proper CAA record, no other CA could have done that.

The configuration is simple:

vibedefend.com.  CAA  0 issue "letsencrypt.org"
vibedefend.com.  CAA  0 issuewild "letsencrypt.org"
vibedefend.com.  CAA  0 iodef "mailto:security@vibedefend.com"

The first entry says: only Let's Encrypt can issue certificates for this domain. The third: notify me by email if anyone else tries.

Check your CAA records here: SSLMate CAA Record Generator.

DNS over HTTPS and DNS over TLS — Encrypting DNS Queries

Standard DNS queries travel in plaintext over UDP port 53. This means your ISP, the network admin at a coffee shop, or anyone with access to network traffic can see which domains you're querying — even if the actual communication with the service is encrypted by HTTPS.

DNS over HTTPS (DoH) and DNS over TLS (DoT) solve this by encrypting the DNS queries themselves. Cloudflare (1.1.1.1), Google (8.8.8.8), and many other public resolvers support both protocols. Modern browsers (Firefox, Chrome) have built-in DoH support.

From an application developer's perspective: you can recommend users use private DNS resolvers. If you're building tools for companies — DoH/DoT is an important conversation with the IT department.

What to Do — Practical Checklist

For every domain you operate:

Registrar account:

  • Enable 2FA on your domain registrar and DNS provider accounts
  • Use a unique, strong password
  • Review who has account access — limit to minimum

DNS records:

  • Enable DNSSEC if your registrar supports it
  • Add CAA records restricting which CAs can issue certificates
  • Audit subdomains — remove CNAMEs pointing to non-existent services
  • Set up subdomain monitoring (automated tools or a service like SecurityTrails)

TTL:

  • Before a planned DNS change, lower the TTL (e.g. to 300s) — this makes the change propagate faster
  • Monitor propagation time after changes

Monitoring:

  • Set up alerts for unexpected DNS record changes
  • Cloudflare and other DNS services offer change logs — use them

Summary

DNS security is mostly configuration — a one-time investment in the right settings that pays off indefinitely. The table below maps each technique to the specific attack it prevents.

Technique Protects against
DNSSEC DNS cache poisoning, spoofed responses
CAA records Unauthorized TLS certificate issuance
Subdomain audit + monitoring Subdomain takeover
Registrar 2FA DNS hijacking via account compromise
TTL management Slow propagation after incident response

DNS failures are silent and devastating — you won't get an error message, traffic will just go somewhere else while your other security layers remain completely bypassed. Configure DNSSEC and CAA records once; monitor for subdomain changes as a routine. The next layer after DNS — where traffic lands once it resolves — is covered in CDN and Security Headers.

Sources: