DNSSEC: Protect Your Domain From DNS Spoofing and Cache Poisoning

When someone types your web address into a browser, the internet looks up where your website actually lives through a system called DNS — the Domain Name System. It is one of the most fundamental parts of how the internet works. It is also one of the oldest, designed in a simpler time when security was not a primary concern.

DNSSEC is the security extension that protects DNS from a subtle but potentially devastating class of attack — one that can redirect your visitors and intercept your email without your server ever being touched.

How DNS Works and Why It Is Vulnerable

Think of DNS as a telephone directory. Your domain name (yourcompany.co.uk) is the name; your server’s IP address is the phone number. When someone wants to reach your website, their computer asks a series of DNS servers to look up the number for that name.

The problem is that DNS was designed in the 1980s without strong authentication. When a DNS server gives an answer, there is no built-in mechanism to verify that the answer is genuine and has not been tampered with.

This opens the door to DNS cache poisoning (also called DNS spoofing). An attacker who can inject false DNS records into the caches of DNS resolvers can redirect anyone using those resolvers to a server they control — while the victim’s browser shows your domain name in the address bar.

What Can an Attacker Do With DNS Spoofing?

Redirect web traffic to a fake website. Visitors type your address and arrive on a convincing copy of your site. They enter login credentials — captured by the attacker. They enter payment details — stolen. Your legitimate site is completely uninvolved, and you may know nothing about it.

Intercept email. By spoofing your MX records, an attacker can redirect incoming email to a server they control — including password reset emails, contract communications, and sensitive client correspondence.

Undermine HTTPS. Even an SSL certificate does not fully protect against DNS spoofing. An attacker who controls the DNS response can obtain a fraudulent SSL certificate for your domain (using DNS-based domain validation), allowing them to serve a fake HTTPS site with a valid padlock.

Real-World Incidents

In 2019, a campaign dubbed “Sea Turtle” by Cisco Talos researchers targeted government, military, and energy organisations in the Middle East and North Africa. Attackers compromised DNS registrar infrastructure to manipulate DNS records for dozens of victims, redirecting email and web traffic through attacker-controlled infrastructure for months. The victims’ servers were never touched.

In 2020, Brazilian banking customers were targeted by a DNS hijacking attack that redirected visits to a major bank’s website to a fake site harvesting login credentials. The bank’s own servers were not compromised — only the DNS records.

What Is DNSSEC?

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. When a DNS resolver looks up your domain, it can verify that the answer it received is signed by the legitimate key holder for your domain and has not been tampered with in transit.

It works as a chain of trust: the root DNS zone signs the top-level domains (.uk, .com), which sign registrar zones, which sign individual domain records. At every step, the signature can be verified.

Limitations of DNSSEC

DNSSEC is not a complete solution on its own. It:

Protects against DNS spoofing and cache poisoning, but not against attackers who gain access to your actual registrar account
Requires careful configuration — misconfigured DNSSEC can make your domain unreachable
Is not universally validated — many DNS resolvers do not check DNSSEC signatures, though this is improving

DNSSEC is also distinct from DNS over HTTPS (DoH) and DNS over TLS (DoT), which encrypt DNS queries in transit but do not authenticate the responses the way DNSSEC does.

What to Do Next

Check whether DNSSEC is enabled for your domain. This is usually a setting in your domain registrar’s control panel. Major UK registrars including Namecheap, 123-reg, and GoDaddy support DNSSEC.
Check whether your DNS provider supports DNSSEC signing. Cloudflare, AWS Route 53, and Google Cloud DNS all support DNSSEC. If yours does not, consider switching.
Follow your provider’s documentation carefully. DNSSEC requires both the DNS provider to sign the zone and the registrar to publish a DS (Delegation Signer) record. If these get out of sync, your domain can become unreachable.
Treat DNSSEC as part of a broader security posture. For most small businesses, DNSSEC is lower priority than SPF, DMARC, HTTPS, and admin panel protections — but as your domain’s value grows, protecting the DNS layer becomes increasingly important. See our guide to domain security for small businesses.

W3IT’s free security check checks whether DNSSEC is enabled and correctly configured for your domain. Run it now as part of a complete picture of your domain’s security posture.

More on Security

Concerned about your business security?

W3IT provides monitoring, support and practical security guidance for small businesses — wherever you are. Start with a free security check.

Book Free Security Check