The DNS system is broken. The sorry state of DNS security exposes your server and your end users to a variety of risks. Some of those risks are preventable.

What is wrong with DNS

What’s wrong with DNS, you ask? For starters:

• DNS traffic over HTTP lacks privacy: because most DNS traffic is not encrypted, eavesdropping on it is rather easy
• untrustworthy DNS resolvers lack controls: an untrustworthy resolver can track requests or even tamper with responses from DNS servers, opening the floodgates of spoofing

Solutions for DNS security to consider

Some solutions to consider:

• DNS over HTTPS (for example, using CoreDNS)
• DNS over TLS (the IETF is standardizing it)
• DNS-aware web browsers (right now that would be Firefox)