Tips 7 min read

DNS Security Best Practices for Australian Domains

DNS Security Best Practices for Australian Domains

Your Domain Name System (DNS) is a critical component of your online infrastructure. It translates domain names into IP addresses, enabling users to access your website and services. However, DNS is also a target for cyberattacks. Implementing robust DNS security measures is essential for protecting your Australian domain from various threats, including DNS spoofing, cache poisoning, and Distributed Denial-of-Service (DDoS) attacks. This article outlines practical tips and best practices to enhance your domain's DNS security.

1. Implementing DNSSEC for Enhanced Security

DNSSEC (Domain Name System Security Extensions) is a suite of security protocols that adds a layer of authentication to the DNS system. It uses digital signatures to verify the authenticity and integrity of DNS data, ensuring that users are directed to the correct IP address and preventing attackers from manipulating DNS records.

How DNSSEC Works

DNSSEC works by creating a chain of trust, starting from the root DNS servers down to your domain's authoritative name servers. Each level signs its DNS records using cryptographic keys. When a user queries your domain, their DNS resolver can verify the signatures and ensure that the response has not been tampered with.

Benefits of DNSSEC

Authentication: DNSSEC verifies the authenticity of DNS data, preventing attackers from redirecting users to malicious websites.
 Integrity: DNSSEC ensures that DNS records have not been altered in transit, protecting against man-in-the-middle attacks.
Non-repudiation: DNSSEC provides a cryptographic proof that the DNS data originated from the authoritative name server.

Implementing DNSSEC


  • Choose a DNS provider that supports DNSSEC: Many DNS providers offer DNSSEC as a standard feature. Dnscheck can help you assess your current setup and recommend appropriate solutions.

  • Generate cryptographic keys: Your DNS provider will guide you through the process of generating the necessary keys.

  • Sign your DNS records: Use your private key to sign your DNS records. Your DNS provider typically automates this process.

  • Publish the Delegation Signer (DS) record: The DS record is a hash of your public key that is published in the parent zone (e.g., the `.au` zone for Australian domains). This establishes the chain of trust.

  • Test your DNSSEC configuration: Use online tools to verify that your DNSSEC configuration is working correctly.

Common Mistakes to Avoid

Using weak cryptographic keys: Choose strong key lengths (e.g., 2048 bits for RSA) to ensure adequate security.
Failing to rotate keys regularly: Key rotation is essential for maintaining the security of your DNSSEC implementation. Follow your DNS provider's recommendations for key rotation frequency.
 Incorrectly publishing the DS record: An incorrect DS record will break the chain of trust and prevent DNSSEC validation.

2. Protecting Against DNS Cache Poisoning

DNS cache poisoning, also known as DNS spoofing, is a type of attack where attackers inject false DNS records into the cache of a DNS resolver. This can redirect users to malicious websites or intercept sensitive information.

How DNS Cache Poisoning Works

Attackers exploit vulnerabilities in the DNS protocol to inject fake DNS records into the cache of a DNS resolver. When a user queries a domain, the resolver returns the false record, directing the user to the attacker's server.

Mitigation Techniques

Implement DNSSEC: As mentioned earlier, DNSSEC provides authentication and integrity for DNS data, making it much more difficult for attackers to inject false records.
 Use random source ports: Configure your DNS resolvers to use random source ports for outgoing queries. This makes it harder for attackers to predict the response and inject false records.
Enable query name minimisation: Query name minimisation reduces the amount of information sent in DNS queries, making it harder for attackers to infer the structure of your DNS zone.
 Regularly update your DNS software: Keep your DNS server software up to date with the latest security patches to address known vulnerabilities.

Real-World Scenario

Imagine a scenario where an attacker poisons the DNS cache of a popular ISP in Australia. Users of that ISP who try to access their online banking website are redirected to a fake website that looks identical. The attacker can then steal their login credentials and access their bank accounts. DNSSEC would prevent this attack by ensuring that the DNS records for the banking website are authentic.

3. Using DNS Firewalls and DDoS Mitigation Services

DNS firewalls and DDoS mitigation services can provide an additional layer of protection against DNS-based attacks. These services filter malicious traffic and prevent it from reaching your DNS servers.

DNS Firewalls

DNS firewalls analyse DNS traffic and block malicious queries, such as those from botnets or known attackers. They can also protect against DNS amplification attacks, where attackers send small queries to DNS servers, which then respond with large amounts of data, overwhelming the target.

DDoS Mitigation Services

DDoS mitigation services use various techniques to mitigate DDoS attacks, such as traffic scrubbing, rate limiting, and content delivery networks (CDNs). They can detect and filter malicious traffic before it reaches your DNS servers, ensuring that legitimate users can still access your website and services. Our services include options for DDoS protection.

Choosing a Provider

When choosing a DNS firewall or DDoS mitigation service, consider the following factors:

Reputation: Choose a provider with a proven track record of protecting against DNS attacks.
 Performance: Ensure that the service does not introduce significant latency or impact the performance of your website.
Scalability: The service should be able to scale to handle large volumes of traffic during a DDoS attack.
 Features: Look for features such as real-time monitoring, reporting, and customisable rules.

4. Regularly Monitoring DNS Activity for Suspicious Behaviour

Monitoring your DNS activity is crucial for detecting and responding to potential threats. By analysing DNS logs, you can identify suspicious patterns, such as unusual query volumes, requests from unfamiliar IP addresses, or attempts to access non-existent domains.

What to Monitor

Query volumes: Monitor the number of DNS queries your servers are receiving. A sudden spike in query volume could indicate a DDoS attack.
 Query types: Analyse the types of DNS queries being made. Unusual query types could indicate an attempt to exploit vulnerabilities in your DNS configuration.
Source IP addresses: Monitor the IP addresses from which DNS queries are originating. Requests from unfamiliar or suspicious IP addresses could indicate an attack.
 NXDOMAIN responses: Monitor the number of NXDOMAIN (Non-Existent Domain) responses. A high number of NXDOMAIN responses could indicate a DNS hijacking attempt.

Tools for Monitoring

DNS server logs: Most DNS server software provides detailed logs of DNS activity. Analyse these logs regularly to identify suspicious patterns.
 Security Information and Event Management (SIEM) systems: SIEM systems can collect and analyse logs from multiple sources, including DNS servers, to provide a comprehensive view of your security posture.
Network monitoring tools: Network monitoring tools can track network traffic and identify anomalies that could indicate a DNS attack.

5. Keeping Your DNS Software Up to Date

Keeping your DNS server software up to date is essential for addressing known vulnerabilities and protecting against new threats. Software updates often include security patches that fix bugs and close loopholes that attackers could exploit.

Why Updates are Important

Security patches: Updates often include security patches that address known vulnerabilities.
Bug fixes: Updates can fix bugs that could be exploited by attackers.
 Performance improvements: Updates can improve the performance of your DNS servers.
New features: Updates may include new features that enhance the security and functionality of your DNS infrastructure.

Best Practices for Updating

Subscribe to security advisories: Subscribe to security advisories from your DNS software vendor to stay informed about new vulnerabilities and updates.
Test updates in a staging environment: Before deploying updates to your production environment, test them in a staging environment to ensure that they do not introduce any compatibility issues.
 Schedule regular updates: Establish a schedule for regularly updating your DNS software. Consider using automated update tools to simplify the process.

  • Back up your configuration: Before updating your DNS software, back up your configuration files so that you can easily restore your settings if something goes wrong.

By implementing these DNS security best practices, you can significantly enhance the security of your Australian domain and protect against common threats. Remember to stay informed about the latest security threats and adapt your security measures accordingly. If you have further questions, consult our frequently asked questions or learn more about Dnscheck.

Related Articles

Guide • 2 min

Setting Up DNS for Email Deliverability: A Comprehensive Guide
Comparison • 2 min

DNS Monitoring Services: A Comparison for Australian Businesses
Tips • 2 min

Troubleshooting Common DNS Issues: A Practical Guide

Want to own Dnscheck?

This premium domain is available for purchase.

Make an Offer