DNSSEC Not Enabled
DNSSEC is not enabled, allowing DNS spoofing/poisoning attacks to redirect users to malicious servers.
What is DNSSEC Not Enabled?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses are authentic. Without DNSSEC, an attacker who can spoof DNS responses (via cache poisoning, DNS hijacking, or BGP attacks) can redirect your users to a malicious server that looks identical to yours.
Why It Matters to Your Business
DNS spoofing attacks can redirect users to phishing sites that look identical to yours, even with valid SSL certificates (if the attacker obtains a certificate for a lookalike domain). DNSSEC prevents this by cryptographically signing DNS records.
How to Fix It
Enable DNSSEC at your DNS provider: Cloudflare (free, automatic): 1. Log in to Cloudflare dashboard 2. Select your domain 3. DNS → DNSSEC → Enable 4. Copy the DS record to your registrar AWS Route 53: 1. Route 53 → Hosted zones → your domain 2. DNSSEC signing → Enable 3. Add the DS record at your registrar Namecheap, GoDaddy, etc.: Look for DNSSEC settings in the domain management panel Verify with: dig +dnssec yourdomain.com
Technical Classification
| OWASP Category | A05:2021 — Security Misconfiguration |
| CWE ID | CWE-345: Insufficient Verification of Data Authenticity |
| Detected By | dnssec scanner(s) |
| Severity Level | medium |
How 2MNY Security Can Help
Check if your website has this vulnerability
Our dnssec scanner checks for this issue automatically.
Scan My Website Free