DNS security: DNSSEC, DoH, DoT, and protective DNS
DNS is the unglamorous foundation that attackers abuse for C2, exfiltration, and phishing. Hardening it is cheap and catches a category of attacks no firewall sees.
DNS underpins all of the internet and most enterprise networks, yet historically it shipped without authentication or encryption. Three layered upgrades close those gaps. DNSSEC signs DNS records cryptographically so resolvers can detect spoofing — useful for the records you publish about your domain. DoH (DNS over HTTPS, RFC 8484) and DoT (DNS over TLS, RFC 7858) encrypt the resolver-to-client channel, preventing on-path observers from seeing or modifying queries.
Publishing DNSSEC for your own domain is operational. The registrar must support DS records — most do, including .az registrars routed through CaspelHosting and AzInTelecom. The DNS provider (Cloudflare, AWS Route 53, Google Cloud DNS, Azure DNS) signs zones automatically; the customer ticks a box and copies the DS record to the registrar. Once enabled, recursive resolvers worldwide will reject forged answers for your domain. The cost is essentially zero. Combine with CAA records to constrain which certificate authorities may issue for your domain.
Resolver-side, choose protective DNS. Cisco Umbrella, Cloudflare Gateway, Quad9, Akamai Edge DNS, NextDNS, and self-hosted Pi-hole or AdGuard Home block known malicious domains, phishing sites, command-and-control infrastructure, and category-based content. Threat intel feeds update continuously; a host trying to resolve a freshly registered C2 domain gets blocked at DNS, often before the firewall sees the traffic. NCSC UK estimated DNS-layer blocking prevented two million malicious connections daily across UK government in 2023.
Detect the attacks DNS reveals. Beaconing shows up as periodic queries to the same domain. DNS tunneling shows up as long subdomain labels and high-entropy strings used for C2 channels — Cobalt Strike, dnscat2, and Iodine fingerprints are well documented. SIEMs and DNS firewalls (BloxOne Threat Defense, EfficientIP, CrowdStrike Falcon Insight DNS) detect tunneling patterns. Log all DNS queries, retain at least 90 days, and feed to your detection pipeline. A determined attacker will respect your perimeter firewall and still need DNS for almost everything; your detection should be on it accordingly.
Related reading
Email authentication: SPF, DKIM, DMARC, and BIMI in practice
Email spoofing is a 30-year-old problem with a working solution. Here is how to deploy SPF, DKIM, and DMARC correctly so attackers cannot impersonate your domain.
Web Application Firewall: deploying WAF without breaking the app
A WAF blocks SQL injection, command injection, and bots — but only when tuned. Untuned WAF either lets attacks through or blocks legitimate users.
Backup strategy 3-2-1: ransomware-resistant backups in practice
The 3-2-1 rule — three copies, two media types, one offsite — is necessary but not sufficient against modern ransomware. Add immutability and air gap.