DNSSEC, DoT, DoH and ADoT Explained

What is DNSSEC? #

DNSSEC (Domain Name System Security Extensions) protects DNS responses from tampering by using cryptographic signatures. It ensures that DNS data received by resolvers is authentic and has not been modified in transit.

Without DNSSEC, attackers can perform DNS cache poisoning attacks that redirect users to malicious websites or phishing infrastructure.

Benefits of DNSSEC

• Prevents fake websites by verifying DNS responses.
• Protects users from phishing redirection attacks.
• Ensures DNS integrity using cryptographic signatures.
• Protects brand reputation by preventing DNS manipulation.

What Attacks Does DNSSEC Mitigate? #

• DNS Cache Poisoning – attackers inject malicious DNS responses.
• DNS Spoofing – forged DNS responses redirect users to fake servers.
• Man-in-the-Middle DNS attacks – interception and modification of DNS responses.

The DNSSEC Chain of Trust #

DNSSEC validation relies on a hierarchical chain of trust starting from the DNS root zone and extending through TLDs to individual domains.

• Zone signing keys (ZSK) sign DNS records.
• Key signing keys (KSK) sign the DNSKEY records.
• Delegation signer (DS) records link child zones to parent zones.

Example: validating DNSSEC with dig #

The following query asks for the IPv4 address of ietf.org and requests DNSSEC data. The AD flag in the answer means the resolver validated the DNSSEC chain of trust successfully.

dig ietf.org A +dnssec

; <<>> DiG 9.18.44-1~deb12u1-Debian <<>> ietf.org A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57765
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 75b195e0ab7f36520100000069ac7a4fcb810f5db831d99d (good)
;; QUESTION SECTION:
;ietf.org.			IN	A

;; ANSWER SECTION:
ietf.org.		300	IN	A	104.16.45.99
ietf.org.		300	IN	A	104.16.44.99
ietf.org.		300	IN	RRSIG	A 13 2 300 20260308201943 20260306181943 34505 ietf.org. MHhO/MFn0nA0iuvIeJ7XiUwfMMqhUOGwphtSF0+NLdsKKA0yCDvirGNw N+WoTT3+lXANKG97u+W0Txwu60e66w==

;; Query time: 33 msec
;; SERVER: 190.185.105.10#53(190.185.105.10) (UDP)
;; WHEN: Sat Mar 07 16:19:43 -03 2026
;; MSG SIZE  rcvd: 201

In this example, the key indicators are:

• ad: Authenticated Data, meaning the resolver validated the DNSSEC signatures.
• RRSIG: the DNSSEC signature covering the A record set.
• flags: do: the client requested DNSSEC-related records.

Which DNS Security Technology Should You Use?

• DNSSEC protects DNS integrity.
• DoT encrypts DNS queries.
• DoH hides DNS traffic within HTTPS.
• ADoT provides authenticated encrypted DNS.

Related DNS Topics

• What is DNS?
• What is DANE ?
• What is ADoT ?