DNS has a big security impact. DNS is in part responsible for your traffic reaching the correct host on the internet. But there is more to DNS then name resolution. I am going to mention a few security relevant record types here, in no particular order:
DNSSEC (DNSKEY, RRSIG, DS…)
That is probably the most obvious security related feature. DNSSEC is use to digitaly sign DNS records. It protects the integrity of DNS responses. Note that DNSSEC does do nothing to protect the confidentiality of the data. DNS requests are not affected by DNSSEC either. There are a few different records related to DNSSEC:
DNSKEY: DNS records used to retrieve the public key used to verify the DNS signatures.
RRSIG: Signature for a particular DNS records
DS: Hash of a key, used to verify the key integrity.
DMARC, SPF, DKIM
While there was at one point a proposal for a dedicated SPF record type, these email security features are all using TXT records. SPF to designate authorized mail servers allowed to send email for a particular domain. DKIM offers public keys that can be used to verify DKIM signatures and DMARC records will indicate what to do with email that does not pass DKIM and/or SPF verifaction.
CAA
The “Certificate Authorization Authority” record will list certificate authorities that may issue certificates for a particular domain. This record is checked by certificate authorities before issuing a certificates. TLS clients, like browsers, will not verify this record. The CAA record may also include an email address to notify if a certificate request was rejected due to the CAA record.
HTTPS
This record type can assist in setting up HTTPS connection. If may indicate supported HTTP versions. For security, it will indicate support for encrypted client hellos (ECH). But this feature has not been used much so far.
Any other record types I missed?
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.