StackShield

How to Fix DNS Security Issues and Misconfigurations

DNS misconfigurations like open zone transfers and missing DNSSEC expose your domain to hijacking and spoofing attacks. Fix them now.

Medium severity Infrastructure Security Updated 2026-03-01

The Problem

DNS misconfigurations can allow attackers to hijack your domain traffic, enumerate all your subdomains through zone transfers, or poison DNS caches to redirect users to malicious servers. DNS is the foundation of your web presence, and insecure DNS configuration undermines every other security measure you have in place. Common issues include open zone transfers, missing DNSSEC, stale records, and misconfigured nameservers.

How to Fix

  1. 1

    Disable DNS zone transfers

    Zone transfers (AXFR) allow anyone to download your complete DNS zone, revealing all subdomains and records. Test if zone transfers are open:

    {{ trim($paragraph)); ?>

    If this returns all your DNS records, zone transfers are open. Restrict them in your DNS server configuration.

    For BIND:

    {{ trim($paragraph)); ?>

    Or restrict to secondary nameservers only:

    {{ trim($paragraph)); ?>

    If you use a managed DNS provider (Cloudflare, Route 53), zone transfers are typically disabled by default.

  2. 2

    Enable DNSSEC

    DNSSEC adds cryptographic signatures to DNS responses, preventing cache poisoning and spoofing. Enable it through your DNS provider:

    Cloudflare: Dashboard > DNS > Settings > Enable DNSSEC Route 53: Use the EnableHostedZoneDNSSEC API call Google Cloud DNS: Enable DNSSEC in zone settings

    After enabling, add the DS record to your domain registrar. Your DNS provider will give you the DS record values.

    Verify DNSSEC is active:

    {{ trim($paragraph)); ?>

    Look for the ad (authenticated data) flag in the response.

  3. 3

    Audit and clean up DNS records

    Review all DNS records and remove stale entries:

    {{ trim($paragraph)); ?>
    {{ trim($paragraph)); ?>

    Remove: - CNAME records pointing to decommissioned services - A records pointing to IP addresses you no longer own - MX records for mail services you no longer use - TXT records for services you have cancelled

  4. 4

    Add CAA records

    Certificate Authority Authorization (CAA) records specify which certificate authorities can issue SSL certificates for your domain, preventing unauthorized certificate issuance:

    {{ trim($paragraph)); ?>
    {{ trim($paragraph)); ?>
    {{ trim($paragraph)); ?>

    Replace letsencrypt.org with your certificate provider. The iodef record sends violation reports to your security email.

How to Verify

Test your DNS security:

# Zone transfer should fail dig axfr yourdomain.com @ns1.yourdomain.com

# DNSSEC should be active dig +dnssec yourdomain.com | grep 'ad'

# CAA records should exist dig CAA yourdomain.com

Use online tools like dnsviz.net to visualize your DNSSEC chain and identify issues.

Prevention

Include DNS configuration in your security documentation. Review DNS records quarterly. Use a managed DNS provider with built-in security features. Add DNS record changes to your change management process. Use StackShield to continuously monitor your DNS configuration for security issues.

Frequently Asked Questions

What is DNS cache poisoning?

DNS cache poisoning is an attack where a malicious DNS response is injected into a resolver cache, causing it to return a wrong IP address for your domain. This redirects your users to an attacker-controlled server. DNSSEC prevents this by cryptographically signing DNS responses so resolvers can verify their authenticity.

Do I need DNSSEC if I use Cloudflare?

Cloudflare provides DDoS protection and proxied DNS, but DNSSEC adds an additional layer by preventing DNS spoofing between Cloudflare and the end user resolver. Cloudflare makes DNSSEC easy to enable with one click. It is recommended as a best practice even with Cloudflare.

How do attackers exploit DNS misconfigurations?

Zone transfers reveal all subdomains (helpful for subdomain takeover). Missing DNSSEC allows cache poisoning to redirect traffic. Stale NS records can lead to domain hijacking. Missing CAA records allow attackers to obtain SSL certificates for your domain from any certificate authority.

Related Security Terms

DNS Security

Related Guides

High

How to Fix Subdomain Takeover Vulnerabilities

Dangling DNS records pointing to decommissioned services allow attackers to take over your subdomains. Learn how to find and fix them.
Medium

How to Fix Missing Email Security Records (SPF/DKIM/DMARC)

Missing SPF, DKIM, and DMARC records allow attackers to send spoofed emails from your domain. Configure email authentication now.
High

How to Fix Weak SSL/TLS Configuration in Laravel

Your SSL/TLS certificate is expired, misconfigured, or using weak protocols. Learn how to fix SSL issues for your Laravel app.

Detect This Automatically with StackShield

StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.

Start Free Trial