Misconfigured DNS: The Hidden Risks & Threats Explained

When people browse for websites online, their device relies on the Domain Name System (DNS) to find the correct server behind the domain name. DNS is also referred to as the phonebook of the Internet. 

You can think of DNS as a digital map that guides browsers to their destinations. Any error or misconfiguration in this map (DNS) can affect the speed, security, and reliability. It can:

• Make the website inaccessible to users
• Prevent emails from being sent
• Increase system exposure to cyberattacks

This blog post will discuss some of the most common DNS misconfigurations. You will learn how they occur and what risks and threats they can pose to your online assets, such as websites, apps, and networking systems. 

Why Correct DNS Configuration Matters?

If you need a functional and secure internet experience, a correct DNS configuration is a must. 

Why? 

Because it is DNS that enables your device to connect to a website over a network, it translates domain names into IP addresses, allowing the device to communicate smoothly. 

Any misconfiguration in the DNS records associated with a domain or device can cause significant disruptions. However, if configured correctly, DNS enables devices to communicate reliably. 

Here are some of the benefits you can expect when DNS is configured correctly. You get:

• Faster loading times and reduced latency. 
• Efficient content delivery. 
• Protection against phishing and malware.
• Prevention from spoofing attacks.
•  Less or no downtime. 
• Accurate email routing and many more.

What is a Misconfigured DNS?

A misconfigured DNS means that there is an error in the DNS setup, which can be due to human error or other issues. These errors can disrupt communication between devices and websites over a network. Moreover, they also put themselves at risk of security threats. 

Below are some of the common causes behind a misconfigured DNS:

• Typing mistakes while adding new or updating old DNS records. 
• Outdated or stale DNS records can route users to the wrong resources. 
• Obsolete or malfunctioning routers also cause errors in DNS setup. 
• A poor internet connection can also result in DNS errors. 
• Problems in the DNS servers of your internet service provider (ISP) also disrupt DNS resolution. 

Type of DNS Misconfigurations

Below are the various types of DNS misconfigurations that many people encounter. 

1. Incorrect A or AAAA Records

A and AAAA records are responsible for pointing a domain to the correct IP address. A record matches a domain name to an IPv4 address, while an AAAA record matches a domain name to an IPv6 address. 

A and AAAA records usually get misconfigured due to human error. It typically occurs when a typo error is made while entering the IP addresses manually. This often happens while migrating a website to a different server. 

Sometimes the server’s IP address gets changed by the hosting service providers. You must manually replace the old IP address in DNS records with the new one. If not done on time, it can cause DNS misconfiguration. 

Risk:

When A or AAAA records are incorrect, users trying to visit your site are directed to the wrong server or no server at all. This leads to complete or partial website inaccessibility. 

Sometimes, worse can happen. If the wrong IP address belongs to a malicious actor, users may be redirected to a phishing site.

The easiest solution to resolve this misconfiguration is to verify your server’s public IP. If you find anything incorrect or missing, update the A/AAAA records accordingly. Once updated, check DNS propagation to ensure the global update (propagation) is complete. 

2. Missing or Misconfigured MX Records

MX records in a domain's DNS setup define the mail servers that handle email delivery. They send and route the email traffic on behalf of that particular domain. 

Misconfiguration of MX records occurs when settings are improperly configured, have incorrect values, or point to nonexistent mail servers.

Risk:

Emails sent to your domain may be rejected, bounced, or flagged as spam. Not setting an MX record means mail servers don’t know where to deliver messages sent to a domain.

Use our dedicated MX Lookup tool to verify that the correct MX record is in place for your domain. Suppose you find them missing or incorrect. Log in to your domain's dashboard and update MX records. To keep the process smooth and efficient, use the configuration settings recommended by the mail provider. 

3. Wrong or Duplicate CNAME Entries

CNAME (canonical name) is a type of DNS record that is used to point a domain or alias to the actual (you can say “canonical”) domain name. When a user tries to access the alias domain, instead of returning the IP address correctly, the DNS server will instruct it to look up the canonical name. 

Misconfiguration often occurs when someone tries to add CNAME records in the DNS of the root domain. Note that, in general, you cannot add a CNAME record to the root domain; they can only be added using subdomains. 

Another reason for misconfiguration is that sometimes multiple CNAME records exist for the same name. 

Risk:

Duplicate or incorrectly placed CNAME records can cause DNS resolution loops, conflicts, or failures, resulting in inaccessible resources.

Use CNAME only for subdomains and never mix CNAME with other records for the same name. Once you have configured a CNAME record, manually validate it using DNS Lookup. 

4. Invalid or Outdated NS Records

NS (Name Server) records are delegated to the DNS management for a domain. These records are the physical server that holds all the other DNS records for a domain. 

Errors in NS records occur when the records are outdated, point to an old provider, or contain typos. This usually happens when you switch to a new hosting provider. 

Risk:

Misconfigured NS records lead to inconsistent or failed DNS resolution across regions. DNS resolvers will become unable to find the authoritative nameservers and resolve domain-related queries for users. Services may stop functioning if resolvers hit unresponsive or incorrect NS servers.

Perform the NS lookup to check your current DNS provider’s nameservers. If you find them misconfigured, update NS records at the domain registrar. After the update, use the DNS propagation checker to validate changes globally.

5. Misconfigured TXT Records (SPF, DKIM, DMARC)

TXT records in DNS are designed to facilitate authentication for email servers and verify domain ownership. It also helps in preventing email spoofing attacks. 

Misconfigurations in TXT records can occur due to various factors, including incorrect syntax, unsupported mechanisms, or missing entries.

Risk:

Misconfigured TXT records lead to various issues such as:

• Original emails often land in spam boxes or are rejected. 
• Increased risk of email spoofing and phishing attacks. 

As an example:

A missing TXT record, such as an SPF record, allows hackers to send spoofed emails claiming to be from your domain. 

Firstly, perform the TXT lookup to verify whether the previously propagated records are accurate. If you found that misconfigured, go to your domains dashboard and update them in their genuine sense. When updating, ensure that you use proper syntax and set up DKIM with a valid public key. 

6. Unrestricted Zone Transfers (AXFR Enabled)

AXFR, also referred to as full zone transfer, is a DNS protocol used for transferring zone files from one (primary) server to another (secondary server). 

Risk:

Leaving AXFR enabled can expose the entire DNS structure to the public. This poses a significant security risk, allowing hackers to access the entire DNS zone and potentially carry out cyberattacks. 

Restrict zone transfers to dedicated IP addresses or disable them if not needed at the time. 

7. Open DNS Resolvers

Open DNS resolvers are those configured to respond to recursive queries from any IP address. These DNS servers are publicly available and do not require authentication or authorization to perform lookups. 

Risk:

Hackers can use open DNS resolvers to amplify DDoS (Distributed Denial of Service) attacks. They may also expose query history and slow down legitimate responses. Plus, they can also take down websites or cause wider network outages. 

Limit the recursion to trusted networks and set up a firewall to block or monitor external traffic. 

8. Incorrect TTL (Time to Live) Settings

TTL (time to live) in DNS refers to the period for which DNS records of a domain or device remain cached before being refreshed. 

Risk:

Setting TTL too high or too low can create performance or propagation issues.

• High TTL = slow propagation.
• Low TTL = increased DNS query load.

As an example:

Changing an IP while the TTL is 86400 (24 hours) means users may still resolve to the old IP for a full day.

Use a balanced TTL; usually, 3600 seconds is recommended. 

9. Missing PTR Records (Reverse DNS Issues)

PTR (pointer records) are the opposite of “A” records. They indicate what IP address is associated with a domain name. PTR records are primarily used for reverse DNS lookups, which aim to determine the domain name associated with a given IP address. 

Risk:

The PTR records are used in reverse DNS lookups for troubleshooting email delivery issues and preventing spam. If a PTR record gets misconfigured or missing, it will stop the email services associated with the domain name. This will block all the emails being sent from that particular domain name. Moreover, it can make your network appear suspicious to external systems and devices. 

To resolve the reverse DNS-related issues, please request that your ISP or hosting provider reconfigure the reverse DNS settings.

10. Lack of DNSSEC or Misconfigured DNSSEC

DNSSEC (Domain Name System Security Extension) is used for protecting DNS systems from tampering. They work by digitally signing DNS records, providing authenticity to DNS data. 

Risk:

DNSSEC records, if misconfigured, open the door for spoofing attacks. Using this, hackers can perform cache poisoning and also redirect traffic to malicious websites. Furthermore, a broken DNSSEC setup can make your site unreachable on DNSSEC-enabled resolvers.

To avoid this, constantly monitor DNSSEC expiration and re-sign zones promptly. 

Real-World Examples of DNS Misconfiguration Disasters

For a better understanding of the threats related to misconfigured DNS records, we have shared some real-life examples below. 

Facebook Outage (October 2021)

According to The Guardian, Facebook became completely unreachable for nearly six hours due to a DNS and BGP configuration error.

Facebook engineers issued a command that accidentally took down all of their backbone connections, including DNS servers. With the DNS servers unreachable, domain name resolution for all services failed globally.

Impact:

• Billions of users lost access
• Facebook’s internal systems, including employee badges and tools, went down
• Estimated cost: 6 billion dollars in revenue loss

This incident could have been prevented if thorough internal testing of network configuration changes had been implemented, and the use of external fallback DNS servers or monitoring tools had been made.

Microsoft DNS Misconfiguration (2001) 

In January 2001, Microsoft's websites became completely inaccessible for nearly 23 hours due to a DNS configuration error.

Microsoft had all its authoritative DNS servers for major domains (like microsoft.com) hosted within the same IP subnet and network infrastructure. 

When a router misconfiguration made that subnet unreachable, no one could resolve Microsoft's domain names. This thing effectively took almost all their services offline.

Impact:

• 23 hours of global downtime for all Microsoft services
• Significant disruption to Hotmail users and enterprise customers
• Damaged brand credibility and public trust

This could be prevented if the DNS servers were configured correctly to logically separate networks. 

Lesson for the industry: 

“Never put all DNS eggs in one basket.”

Wrapping Up

A correct DNS setup is crucial for smooth communication between devices and websites on a network. Misconfigurations in DNS can lead to various problems, including websites becoming inaccessible, emails failing to deliver, and an increase in cyberattacks. 

This blog post discusses some of the most common DNS misconfigurations, along with the risks they pose and potential ways to prevent them. To read more on DNS-related topics, consider visiting our blog section.