Back to all questions

What are the Top DNS Best Practices for Security and Performance?

Roei Hazout
DNS (Domain Name System)
March 12, 2025

To secure and optimize your DNS, follow best practices that balance performance, resilience, and security. This includes using secure DNS services, minimizing attack surfaces, enforcing DNSSEC, and optimizing query handling

DNS is a common attack vector, so misconfigurations or weak setups can expose your infrastructure to threats like DNS poisoning, DDoS, and hijacking.

1. Use Secure, Reliable DNS Services

If your DNS provider isn't solid, your entire setup is at risk. A compromised DNS service can lead to downtime, hijacking, and data breaches.

Here's what I do:

  • I avoid ISP DNS servers - they're typically slow and vulnerable to browser fingerprinting techniques
  • Instead, I use secure providers like:
    • Cloudflare DNS (1.1.1.1, 1.0.0.1) - privacy-focused and DDoS-resistant
    • Google Public DNS (8.8.8.8, 8.8.4.4) - reliable global coverage
    • Quad9 (9.9.9.9) - blocks malicious domains automatically

For business applications, I recommend premium services:

  • AWS Route 53 - scales well with cloud services
  • Cloudflare Managed DNS - includes built-in security measures
  • Neustar UltraDNS - good for enterprise requirements

Why this matters: ISP DNS servers have a history of compromises (Turkish ISPs were caught redirecting queries). Poor DNS means your site disappears when it fails, and the right provider reduces latency for faster page loads.

Implementation is straightforward - just configure your routers and devices to use these secure providers, or if self-hosting, set up geographic redundancy and monitor performance with tools like DNSPerf.

2. Enforce DNSSEC to Prevent Spoofing & Poisoning

DNS spoofing redirects users to malicious sites without their knowledge. Without DNSSEC protection, your visitors could end up on a phishing page thinking it's your legitimate site.

I always:

  • Enable DNSSEC at the domain registrar level
  • Verify my DNS provider supports proper DNSSEC validation
  • Use NSEC3 hashing instead of NSEC to prevent zone enumeration
  • Rotate DNSSEC keys regularly

This matters because DNS cache poisoning is commonly used in surveillance and phishing. With DNSSEC, DNS records are cryptographically signed, ensuring responses come from authentic servers.

Most major providers (Cloudflare, AWS, Google) make DNSSEC activation simple. If you're running your own BIND or PowerDNS server, you'll need to generate and maintain ZSK and KSK keys. 

I like to test validation with dnssec-analyzer.verisignlabs.com.

3. Prevent DNS Amplification & DDoS Attacks

DNS servers are prime targets for DDoS attacks, where attackers send forged queries that make your server flood a victim with massive amounts of traffic. Web fingerprinting attacks often begin with DNS reconnaissance.

My approach:

  • Disable recursion on authoritative DNS servers
  • Implement rate limiting to block excessive queries from single sources
  • Use Anycast DNS to distribute traffic globally
  • Configure Response Rate Limiting (RRL) on BIND and Unbound

This is critical because attackers can send small DNS queries with a spoofed IP, generating responses up to 70 times larger. The result is a denial-of-service that can take down your services.

For implementation, if self-hosting:

  • In BIND: Add allow-recursion { none; }; to named.conf.options
  • In PowerDNS: Set allow-recursion=no
  • Enable rate limiting in Unbound with appropriate settings
  • Or use DDoS-protected services from Cloudflare, Neustar, or Akamai

4. Use Split-Horizon DNS for Internal & External Queries

Exposing internal DNS records publicly is a major security mistake. Your public-facing DNS should only resolve what external users genuinely need.

I recommend:

  • Implementing split-horizon DNS to separate public and internal zones
  • Restricting internal DNS queries to internal resolvers
  • Never exposing internal hostnames, private IPs, or admin portals in public records

The reason is that public DNS records containing internal information give attackers a blueprint of your network. Corporate intranets, admin panels, and internal services should remain hidden.

To implement with BIND or PowerDNS, create separate views:

view "internal" {
    match-clients { 192.168.0.0/16; };
    zone "company.local" {
        type master;
        file "/etc/bind/internal.zone";
    };
};

With Active Directory DNS, disable zone transfers and restrict queries to internal IPs only.

5. Implement DNS Logging & Monitoring

DNS is often overlooked in monitoring, but the queries reveal valuable intelligence about threats including malware, command-and-control communications, and data exfiltration attempts.

My monitoring setup includes:

  • Full DNS query logging (on BIND, Unbound, PowerDNS, or Windows Server)
  • SIEM solutions (like Splunk, ELK, or Wazuh) to analyze DNS patterns
  • Alerts for unusual NXDOMAIN responses that might indicate C2 traffic
  • Real-time DNS threat intelligence from services like Cloudflare Gateway

This matters because malware frequently uses DNS tunneling to exfiltrate data, and ransomware campaigns rely on DNS lookups to communicate with command servers. 

Proper logging helps detect attacks in real-time.

Enable logging in BIND with:

logging {
    channel default_log {
        file "/var/log/named.log" versions 3 size 5m;
        severity info;
        print-time yes;
    };
};

I also recommend using Pi-hole or OpenDNS to actively block known malicious domains and correlating DNS logs with endpoint security tools.

6. Restrict Zone Transfers to Prevent Data Leaks

DNS zone transfers are designed for backup and redundancy, but misconfiguration can leak all your domain records to potential attackers.

My standard practice:

  • Restrict zone transfers to authorized IP addresses only
  • Disable zone transfers completely if not required
  • Use TSIG (Transaction Signatures) for authentication when transfers are necessary

This is important because zone files provide attackers with a complete map of your network, making it easier to target internal services. Many organizations accidentally leave these transfers open.

In BIND, restrict transfers with:

options {
    allow-transfer { none; };
};

If transfers are needed, limit them to trusted secondary servers:
zone "example.com" {
    type master;
    allow-transfer { 192.168.1.2; };
};

For additional security, TSIG authentication to sign transfer requests is essential.

7. Use TTL Settings Strategically

DNS TTL (Time-to-Live) determines how long records are cached before refreshing. Setting these values incorrectly impacts performance, redundancy, and failover capabilities.

My approach:

  • Use low TTLs (30-300 seconds) for dynamic records and load balancers
  • Use high TTLs (86400 seconds or more) for static records like MX records
  • Reduce TTLs before planned DNS changes for faster propagation

This strategy matters because high TTLs improve performance but delay updates, while low TTLs allow quick changes but increase query load. 

For failover systems, shorter TTLs ensure users switch to backup IPs quickly during outages.

For active websites:

example.com.  300  IN  A  192.168.1.10

For mail servers (static records):

mail.example.com.  86400  IN  MX  10 mailserver.example.com.

Before migrations, I always lower TTLs 24-48 hours in advance.

8. Block Malicious Domains with DNS Filtering

DNS is your first defense against malware and phishing. By filtering malicious domains, you prevent users from visiting dangerous sites before they even load.

I recommend:

  • DNS filtering services including:
    • Quad9 (9.9.9.9) - blocks known malicious sites
    • Cloudflare Gateway - enforces security policies
    • Cisco Umbrella - enterprise-grade filtering
  • Internal DNS blacklists for corporate environments
  • Monitoring logs for suspicious lookups (especially random-looking subdomains)

This is effective because phishing campaigns and malware rely on DNS queries for their operation. DNS filtering stops threats before execution, making it a proactive security layer that can prevent browser fingerprinting javascript from loading.

Configure your router to use Quad9, Cloudflare Gateway, or OpenDNS, or set up Pi-hole with a blacklist:

0.0.0.0 badsite.com0.0.0.0 malware.com

Always monitor logs for suspicious queries, especially domains with random characters that could indicate command-and-control servers.

9. Secure Dynamic DNS Updates

Dynamic DNS automatically updates records for devices with changing IPs. Without proper security, attackers can inject fake DNS records and hijack legitimate services.

My security measures:

  • Disable DDNS unless absolutely necessary
  • Use TSIG authentication to verify all updates
  • Restrict DDNS updates to trusted internal hosts only

This matters because attackers can inject rogue records to redirect traffic to fake services, and misconfigured DDNS can expose internal information to external threats.

To disable DDNS in BIND:

options {
    allow-update { none; };
};

If DDNS is required, use TSIG authentication:

key mykey {
    algorithm hmac-sha256;
    secret "BASE64-ENCODED-SECRET";
};

zone "example.com" {
    type master;
    allow-update { key mykey; };
};

Always monitor logs for unauthorized DDNS attempts.

10. Implement DNS Over HTTPS (DoH) or DNS Over TLS (DoT)

Standard DNS queries are unencrypted, making them vulnerable to interception and modification by ISPs, attackers, or governments. DoH and DoT encrypt these queries to prevent man-in-the-middle attacks and website fingerprinting.

I use:

  • DoH or DoT on all client devices and resolvers
  • DoH-enabled resolvers including:
    • Cloudflare (1.1.1.1)
    • Google (8.8.8.8)
    • NextDNS (with customizable blocking)
  • Internal deployment via dnscrypt-proxy or Pi-hole

This encryption prevents ISPs and attackers from hijacking queries to redirect users, stops government censorship through DNS interception, and ensures both integrity and privacy of DNS traffic.

In Windows 11, enable DoH through: Settings → Network & Internet → Wi-Fi → Hardware properties → Preferred DNS encryption

On Linux, configure DoH with Cloudflare:

systemd-resolve --set-dns=1.1.1.1 --set-dnssec=true

For corporate networks, I recommend setting up an internal DoH proxy using dnscrypt-proxy, NextDNS, or Pi-hole.