Security
DNS
Advanced
DNSSEC-secure DNS against spoofing attacks
Enable DNSSEC to prevent DNS spoofing and cache poisoning. Cryptographically sign DNS records.
UnderHost NOC
Network Operations
On this page
DNSSEC (Domain Name System Security Extensions) cryptographically signs DNS records, proving they're legitimate. Prevents DNS spoofing and cache poisoning attacks.
How DNSSEC works
- Domain owner signs DNS records with private key
- Public key published in DNS (DNSKEY record)
- DNS resolver verifies signature using public key
- If signature valid, DNS response trusted
- If signature invalid or missing, response rejected
Benefits and risks
Benefits
- Prevents DNS spoofing attacks
- Protects against cache poisoning
- Validates DNS responses
Risks
- Complexity: Requires proper setup
- Performance: Adds validation overhead
- Key management: Must manage signing keys securely
Enable DNSSEC
- Generate DNSSEC keys at registrar or via command line
- Add DS (Delegation Signer) records to parent zone
- Sign all zone records
- Test with: dig +dnssec yourdomain.com
DNSSEC is optional
DNSSEC is not required for most sites. Enable only if you understand the complexity and need maximum security.
Related: DNS resolution
Was this article helpful?
Need security-focused hosting?
UnderHost services include DDoS-aware infrastructure, SSL support, account isolation, backups, and security guidance.
