A curated list of awesome DNS security tools, techniques, and educational resources for developers, security professionals, and enthusiasts.
- Overview
- Introduction to DNS
- DNS Security Standards
- DNS Tools
- DNS Monitoring and Analysis
- DNS Firewalls and Filtering
- DNS Tunneling Detection and Prevention
- DNSSEC (DNS Security Extensions)
- DNS Amplification Attack Mitigation
- Educational Resources
- Articles & Papers
- Threat Intelligence
- Additional Tools
The Domain Name System (DNS) is the cornerstone of the internet’s address system. Still, its open nature makes it a frequent target for attacks such as DNS spoofing, DNS cache poisoning, amplification DDoS, and DNS tunneling. This list provides resources and tools to enhance DNS security, monitor DNS traffic, detect malicious usage, and deploy proper defenses.
DNS is a core internet protocol that translates human-readable domain names into IP addresses. To start with the basics, here are some great introductory resources:
- howdns.works - Visual and fun explanation of DNS concepts.
- A warm welcome to DNS - Beginner-friendly introduction to DNS by PowerDNS.
- 35C3 - Domain Name System - A detailed video lecture on DNS.
- Let's hand write DNS messages - Learn how DNS messages are structured at a low level.
- DNS for Rocket Scientists - A comprehensive guide to mastering DNS.
- Introduction to DNS - An introduction to DNS by David Bombal.
- Everything about DNS - Explanation on how DNS works by ByteByteGo.
- RFC 4033-4035: DNSSEC - Defines DNS Security Extensions (DNSSEC) for authenticating DNS data.
- RFC 8484: DNS over HTTPS (DoH) - Encrypt DNS requests over HTTPS to avoid eavesdropping and tampering.
- RFC 8310: DNS over TLS (DoT) - DNS over TLS, another method to encrypt DNS traffic.
- RFC 7871: EDNS0 Client Subnet - Preserves user privacy while using the EDNS0 client subnet option.
- dnstwist - Identify phishing domains and potential typo-squatting domains by generating variations of a domain name.
- dnsdiag - Perform DNS diagnostics and health checks.
- DNS Reaper - An advanced DNS misconfiguration scanner designed for DevSecOps, with support for cloud infrastructure.
- DNSx - Powerful DNS toolkit for resolving, brute-forcing, and DNS recon.
- Fierce - DNS reconnaissance tool to find hidden servers.
- DSAT - Security analysis of DNS configurations for multiple domains.
- Internet.nl - Check whether a domain/website uses modern Internet Standards.
- DNS Inspect - A free web tool that checks your domain's servers for common DNS and mail errors and generates a report explaining how to fix them.
- dnssec - Performs DNS security audits and takes a DNS IP as user input, which could act as a DNS security scanner.
- EDUdig - Web based DNS troubleshooting tool
- dnstop - Monitor DNS traffic for analysis and statistics.
- Zeek (formerly Bro) - Network analysis framework with a DNS analyzer for security monitoring.
- Case study on DNS anomaly with Zeek - Using Zeek to find persistent threats by monitoring DNS anomalies.
- Suricata - Open-source IDS/IPS with built-in DNS logging and analysis capabilities.
- Passive DNS - Query historical DNS records to understand domain resolution patterns.
- Grafana Teamplate on DNS - DNS analysis template of Grafana uses the prometheus data source.
- ELK DNS tunneling
- Microsoft DNS analytics with ELK
- DNS analysis with Graylog
- DNS queries - Walk Softly and Carry 26 Trillion Sticks - DFIR Summit 2015 - OpenDNS case study on 71 Billion DNS queries per day
- DEF CON 29 -Justin Perdok - Hi Im DOMAIN Steve, Please Let Me Access VLAN2
- DEF CON 29 - Tianze Ding - Vulnerability Exchange: One Domain Account For More Than Exchange Server
- Threatpost @ Black Hat USA 2021: A New Class of DNS Vulnerabilities
- How Great is the Great Firewall? Measuring China's DNS Censorship
- Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS
- code.talks 2018 Everything about DNS you never dared to ask!
- RSA Conference - Power of DNS as an Added Defense Against Modern Attacks
- mWISE Conference (from Mandiant) - Taking Over Domains - Dangling DNS
- All about DNS from DNS OARC
- Pi-hole - A DNS-based filtering tool that blocks ads and malicious domains.
- Quad9 - Free public DNS resolver with threat filtering.
- Cisco Umbrella - DNS-layer security service with filtering for malware and phishing domains.
- Iodine - A DNS tunneling tool for testing the security of DNS tunnels.
- dnscat2 - A tool for establishing tunnels via DNS, often used for exfiltration and backdoor communication.
- DNSCrypt - Authenticate DNS traffic to prevent man-in-the-middle attacks.
- DNSViz - A graphical tool for visualizing DNSSEC configurations and issues.
- OpenDNSSEC - A DNSSEC key and zone management tool.
- PowerDNS DNSSEC - PowerDNS setup guide for enabling DNSSEC.
- dnsmasq - A caching DNS forwarder that limits the size of responses, preventing DNS amplification attacks.
- Anycast DNS - Mitigate DNS DDoS using Anycast technology.
- Rate-Limiting DNS Resolvers - Implement rate-limiting to prevent DNS amplification attacks.
- DNS Security Fundamentals - Comprehensive guide to DNS security challenges and solutions.
- DNS-OARC Workshops - Hands-on workshops focused on operational DNS security topics.
- ICANN DNS Security Training - Free training on DNS operations, threats, and protocol issues.
- The State of DNS Security Report - Insights into the latest DNS threats and defenses.
- DNS Cache Poisoning Resurgence - An analysis of modern DNS cache poisoning attacks.
- Detecting DNS Tunneling - Academic paper on techniques for DNS tunneling detection.
- Sub-domain Take over - A Guide To Subdomain Takeovers.
- DNS Evaluation - History of DNS by Geoff Huston.
- DNS infrastructure resilience - A case study of 12 years of DNS infrastructure reformation.
- SecurityTrails - Comprehensive threat intelligence platform with DNS and IP intelligence.
- DNSDB - Passive DNS threat intelligence platform by Farsight Security.
- massdns - High-performance DNS resolver for massive lookups.
- dnsrecon - DNS enumeration tool.
- dnschef - Highly configurable DNS proxy for testing and research.
Contributions are welcome! Please open a pull request to add any new tools, articles, or educational resources.