What are the most important DNS security measures?

Secure your registrar and DNS accounts with two-factor authentication, enable a registrar lock, sign your zone with DNSSEC, restrict certificate issuance with a CAA record, enforce SPF, DKIM, and DMARC for email, remove unused records, and monitor your DNS continuously for unauthorized changes.

Does DNSSEC prevent DNS hijacking?

DNSSEC cryptographically signs your DNS records so resolvers can detect forged answers, which defeats most cache-poisoning and on-path spoofing attacks. It does not protect against a compromised registrar account, so it should be combined with account security and monitoring.

How do I monitor DNS for unauthorized changes?

Use a DNS monitoring service that checks your records and nameservers on a schedule and alerts you when anything changes. ZoneWatcher monitors your zones around the clock and notifies you within minutes of any record, nameserver, or registration change.

Home
/
Help
/
DNS Security Best Practices

DNS Security Best Practices

DNS is the foundation everything else sits on — websites, email, and certificates all depend on it resolving correctly. These best practices walk through the controls that matter most, from securing your accounts to enabling DNSSEC and monitoring for unauthorized change, with links to deeper guides for each.

1. Secure your registrar and DNS accounts

The accounts that control your domain are the highest-value target. Enforce two-factor authentication and strong, unique passwords on both your registrar and your DNS provider, grant edit access only to those who need it, and prefer single sign-on where available. Most serious DNS hijacking begins with a compromised account, not a clever protocol attack.

2. Enable a registrar (domain) lock

A registrar lock prevents unauthorized domain transfers and nameserver changes — a cheap, high-impact control. ZoneWatcher's domain lock monitor alerts you if the lock status ever changes.

3. Sign your zone with DNSSEC

DNSSEC adds cryptographic signatures so resolvers can verify that an answer really came from your zone, defeating most cache-poisoning and on-path spoofing. Keep an eye on the signing chain — an expired or mismatched key takes the whole domain offline. The DNSSEC monitor watches for broken, missing, or drifted signatures.

4. Restrict certificate issuance with CAA

A CAA record declares which certificate authorities are allowed to issue certificates for your domain, limiting an attacker's ability to mint a valid certificate for a lookalike site. The CAA monitor verifies the policy stays intact.

5. Lock down email authentication

Email runs on DNS too. Publish and maintain all three records that stop spoofing: SPF, DKIM, and DMARC. A DMARC policy stuck on p=none offers little protection — see SPF vs DKIM vs DMARC for how they fit together.

6. Audit and minimize your records

Every record is attack surface. Remove entries you no longer use, and pay particular attention to records pointing at external services — a forgotten one becomes a subdomain takeover waiting to happen. Always delete a DNS record before decommissioning the service it targets.

7. Monitor everything, continuously

Controls reduce risk but never eliminate it, and the damage from a DNS incident scales with how long it goes unnoticed. ZoneWatcher checks your records, nameservers, and domain registration around the clock and alerts you within minutes of any change — authorized or not. For teams that want a review step before changes go live, DNS change management adds approval workflows and an audit trail on top.