Domain(s) not protected with DNSSEC

What has been found

Domain(s) not protected with DNSSEC.

One or more domains, are not protected with DNSSEC. Domains lacking DNSSEC are not digitally signed, leaving them vulnerable to DNS cache poisoning, spoofing, and other forms of DNS manipulation.

Why this is a potential risk

Without DNSSEC, attackers can forge DNS responses, redirect users to malicious sites, intercept traffic, or manipulate email delivery. This can lead to phishing, malware distribution, data exfiltration, and unauthorised access. Domains exposed without DNSSEC increase the risk of compromise and make the organisation more susceptible to attacks that exploit trust in domain resolution.

Potential solutions/Improvements

• Enable DNSSEC: Configure DNSSEC on all public domains to ensure responses are cryptographically signed.

• Use a supporting DNS provider: If current DNS services do not support DNSSEC, migrate to a provider that does.

• Review DNS policies: Ensure domain and record management follows security best practices.

How to verify it is resolved:

• Use external DNS testing tools to confirm DNSSEC is active.

• Verify that DNS responses are signed and resolvers can validate them.

• Review DNS provider configuration to ensure DNSSEC keys are managed and rotated securely.

Monitor for anomalous DNS activity that could indicate manipulation attempts.

External references

• DNS Testing Tool
• ICANN - DNSSEC - What is it?