Understanding DNS Security: Why Your Connection Starts Before You Click

Emil Gheonea

Software engineer & founder of LinkThreatScan · 1 March 2026

When you type a URL into your browser, the first thing that happens isn't a connection to the website — it's a DNS lookup. Your device asks a resolver 'what is the IP address for this domain?' and then connects to whatever answer it receives. This process happens in milliseconds, invisibly, every single time. And it's a prime target for attackers.

How DNS works

The Domain Name System is a hierarchical, distributed database. Your ISP (or a public resolver like 8.8.8.8) queries a chain of nameservers — root servers, TLD nameservers (.com, .co.uk, etc.), and finally the authoritative nameserver for the domain — to resolve a hostname to an IP address. The response is cached for a period defined by the TTL (Time To Live) value in the DNS record.

DNS cache poisoning

In a cache poisoning attack, an attacker tricks a DNS resolver into accepting a forged response, associating a legitimate domain name with a malicious IP address. Anyone using that resolver will then be sent to the attacker's server instead of the real one — even if they typed the correct URL. This was a widespread problem before DNSSEC and is still possible against misconfigured resolvers.

What is DNSSEC?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. Each record is signed with a private key, and the corresponding public key is published in the DNS itself. Resolvers that support DNSSEC validation can verify that the record they received was signed by the zone's legitimate operator and hasn't been tampered with. Without DNSSEC, there's no cryptographic proof that a DNS response is authentic.

The DNSSEC chain of trust

DNSSEC works as a chain. The DNS root zone is signed. Each TLD (.com, .net, etc.) is signed and its signature verifiable by the root. Each domain is signed and its signature verifiable by the TLD. A break anywhere in this chain — for example, a domain that has signed its zone but whose parent TLD doesn't recognise the delegation — results in validation failure. Our scanner checks the entire chain from root to target.

DNS over HTTPS and DNS over TLS

Traditional DNS queries are sent in plain text — anyone on the network path can see what domains you're looking up. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt the query, protecting your browsing activity from surveillance at the network level. Major browsers now support DoH natively. These technologies complement DNSSEC — they protect privacy, while DNSSEC protects authenticity.

Red flags in DNS configuration

During a scan, we look for several DNS anomalies: recently changed nameservers (a common indicator of domain hijacking), missing DNSSEC signatures, wildcard DNS records (which can mask phishing subdomains), unusually low TTLs (which may indicate dynamic redirection), and suspicious mail exchanger (MX) records that could enable email spoofing.