DNSSEC
Domain Name System Security Extensions (DNSSEC) adds a layer of trust to DNS by providing a way to verify that the information you receive is authentic.
Why it matters:
Without DNSSEC, an attacker could perform a "Man-in-the-Middle" attack or "DNS Cache Poisoning" to redirect your visitors to a malicious site. DNSSEC signs your records with digital signatures.
Implementation Checklist:
- Enable DNSSEC at your DNS provider.
- Add the DS Record provided by your DNS host to your domain registrar.
- Verify the chain of trust using tools like DNSViz.
Email Authentication
Protect your brand's reputation and ensure your emails reach the inbox, not the spam folder.
SPF
Specifies which mail servers are authorized to send email on behalf of your domain.
DKIM
Adds a digital signature to emails, allowing the receiver to verify that the email was indeed authorized by the owner of that domain.
DMARC
Tells receiving servers what to do if SPF or DKIM fails (e.g., reject the email). Use p=reject for maximum security.
Certificate Authority Authorization (CAA)
CAA is a DNS record that allows you to specify which Certificate Authorities (CAs) are permitted to issue certificates for your domain. This prevents "shadow" certificates from being issued by unauthorized CAs.
Example Record
example.com. CAA 0 issue "letsencrypt.org"
The Benefit
If a CA not on your list receives an issuance request, they are required by industry standards to reject it.
Registrar Locking
Always enable "Registrar Lock" (also known as ClientTransferProhibited) to prevent unauthorized transfers of your domain to another registrar. For high-value domains, consider "Registry Lock" for an even higher level of protection.
Two-Factor Authentication
The most common cause of DNS hijacking is a compromised registrar or DNS provider account. Use hardware security keys (like YubiKey) or TOTP apps for all accounts managing your DNS.