Stage 3 · Build
DNS: The Phone Book of the Internet
DNSSEC & DNS over HTTPS
Protect DNS from cache poisoning and eavesdropping.
DNS Vulnerabilities
Traditional DNS has two fundamental security problems. First, DNS responses can be spoofed — an attacker can forge answers faster than the real server responds, causing cache poisoning. Second, DNS queries are sent in plaintext, allowing eavesdropping and manipulation by network intermediaries.
Attacker Recursive Resolver
| |
| Spoofed response: |
| "example.com = 192.168.1.100" |
| (attacker's IP) |
| <-- faster than real server |
| |
| Resolver caches poisoned record |
| All users get attacker's IP |The Kaminsky attack (2008) made cache poisoning practical by flooding resolvers with fake responses for random subdomains. DNSSEC prevents this by signing records cryptographically.
DNSSEC
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. Each zone signs its records with a private key. Resolvers verify the signature with the public key, which is chained up to the root zone's trust anchor.
# Check if a domain has DNSSEC
dig example.com +dnssec +short
# Check the DNSSEC chain
dig example.com DNSKEY +short
# Validate DNSSEC
delv example.com
# Check DS records at parent zone
dig example.com DS +shortDNSSEC uses a chain of trust. The root zone is signed. .com zone has a DS record pointing to the root's key. example.com has a DS record pointing to .com's key. If any link breaks, validation fails.
DNSSEC only provides authentication and integrity — it proves the response came from the legitimate server and was not modified. It does not encrypt the query or response. That requires DoH or DoT.
DNS over HTTPS (DoH)
DNS over HTTPS sends DNS queries as regular HTTPS requests to port 443. This makes DNS traffic indistinguishable from normal web traffic, preventing interception and manipulation. Major browsers now support DoH natively.
# Query Cloudflare's DoH endpoint
curl -s -H "accept: application/dns-json" \
"https://cloudflare-dns.com/dns-query?name=example.com&type=A" | jq
# Query Google's DoH endpoint
curl -s "https://dns.google/resolve?name=example.com" | jq
# Test DoH with resolve.conf
# Many resolvers now support DoH via their standard endpointsDoH encrypts DNS queries using TLS (HTTPS). Even if someone intercepts your traffic, they cannot see which domains you are looking up. The response is also encrypted.
DNS over TLS (DoT)
DNS over TLS uses port 853 instead of port 53. It is simpler than DoH but easier to block because it uses a dedicated port. DoT is more common in enterprise environments where firewalls can be configured to allow port 853.
# Query Cloudflare's DoT server
kdig -d example.com @1.1.1.1 +tls
# Use systemd-resolved with DoT
resolvectl dns eth0 1.1.1.1#cloudflare-dns
# Check if DoT is active
resolvectl statusDoT wraps the entire DNS connection in TLS. The connection is established once and then DNS queries are multiplexed over it. DoH embeds each query in a separate HTTPS request.
DoH is harder to block (it looks like HTTPS) but adds HTTP overhead. DoT is simpler and faster but easier to detect and block. For mobile users, DoH is generally preferred. For enterprise networks, DoT gives administrators more control.
Practical DNS Security
# Use reputable resolvers
# Cloudflare: 1.1.1.1 (supports DoH, DoT)
# Google: 8.8.8.8 (supports DoH, DoT)
# Quad9: 9.9.9.9 (blocks malicious domains)
# Enable DoH in Firefox
# Settings -> Privacy & Security -> DNS over HTTPS
# Check your current DNS security
# Visit https://dnssec-trigger.org/ to test
# Monitor DNS for anomalies
sudo tcpdump -i eth0 port 53 -nn -l | \
awk '{print $NF}' | sort | uniq -c | sort -rn | head -20The most important practical step is using a trusted resolver with DoH or DoT. Your ISP's default resolver may log your queries and inject advertisements. Switching to 1.1.1.1 or 9.9.9.9 with encryption protects your privacy.
If you enable DNSSEC validation on your resolver, domains with misconfigured DNSSEC will return SERVFAIL instead of resolving. Test carefully before enabling strict validation in production. Some registrars and hosting providers still do not support DNSSEC properly.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.