medium DNS

DNSSEC Not Enabled

DNSSEC is not enabled, allowing DNS spoofing/poisoning attacks to redirect users to malicious servers.

Severity
medium
Time to Fix
30 minutes
Difficulty
medium
OWASP
A05:2021 — Security Misconfiguration

What is DNSSEC Not Enabled?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses are authentic. Without DNSSEC, an attacker who can spoof DNS responses (via cache poisoning, DNS hijacking, or BGP attacks) can redirect your users to a malicious server that looks identical to yours.

Why It Matters to Your Business

DNS spoofing attacks can redirect users to phishing sites that look identical to yours, even with valid SSL certificates (if the attacker obtains a certificate for a lookalike domain). DNSSEC prevents this by cryptographically signing DNS records.

How to Fix It

Enable DNSSEC at your DNS provider:

Cloudflare (free, automatic):
  1. Log in to Cloudflare dashboard
  2. Select your domain
  3. DNS → DNSSEC → Enable
  4. Copy the DS record to your registrar

AWS Route 53:
  1. Route 53 → Hosted zones → your domain
  2. DNSSEC signing → Enable
  3. Add the DS record at your registrar

Namecheap, GoDaddy, etc.:
  Look for DNSSEC settings in the domain management panel

Verify with: dig +dnssec yourdomain.com

Technical Classification

OWASP CategoryA05:2021 — Security Misconfiguration
CWE IDCWE-345: Insufficient Verification of Data Authenticity
Detected Bydnssec scanner(s)
Severity Levelmedium

How 2MNY Security Can Help

Check if your website has this vulnerability

Our dnssec scanner checks for this issue automatically.

Scan My Website Free