6.2. DNS Security Checks#

Checks that evaluate DNS record security including DNSSEC, proxy status, wildcards, CAA, and DNS over HTTPS.

6.2.1. Check Summary#

Check ID	Title	Severity	Compliance
CFL-DNS-001	DNSSEC Enablement h	igh C	IS 2.1, SOC2 CC6.1, PCI 3.4, NIST PR.DS-5
CFL-DNS-002	DNS Proxy Status h	igh C	IS 2.2, SOC2 CC6.1, NIST PR.DS-5
CFL-DNS-003	Wildcard DNS Records	medium	CIS 2.3, SOC2 CC6.1, NIST PR.DS-5
CFL-DNS-004	CAA Records	medium	CIS 2.4, SOC2 CC6.1, NIST PR.DS-5
CFL-DNS-005	DNS over HTTPS	medium	CIS 2.5, SOC2 CC6.7, NIST PR.DS-5

Severity: high | Category: dns | Compliance: CIS 2.1

DNSSEC protects DNS responses from tampering. Without it, DNS records are vulnerable to spoofing and cache poisoning attacks.

Remediation: Enable DNSSEC for all zones in the Cloudflare dashboard under DNS → DNSSEC.

—

Severity: high | Category: dns | Compliance: CIS 2.2

DNS records should be proxied through Cloudflare to benefit from DDoS protection, WAF, and traffic analytics.

Remediation: Enable the proxy (orange cloud) for DNS records that should be protected.

—

Severity: medium | Category: dns | Compliance: CIS 2.3

Wildcard DNS records (*) can expose unintended subdomains. FlareInspect flags zones containing wildcard records.

Remediation: Replace wildcard records with explicit subdomain records.

—

Severity: medium | Category: dns | Compliance: CIS 2.4

CAA records specify which certificate authorities are allowed to issue certificates for a domain. Without CAA, any CA can issue certificates.

Remediation: Add CAA records to restrict certificate issuance to authorized CAs.

—

Severity: medium | Category: dns | Compliance: CIS 2.5

DNS over HTTPS (DoH) encrypts DNS queries, preventing eavesdropping and manipulation by network intermediaries.

Remediation: Enable DNS over HTTPS in the Cloudflare dashboard under your zone settings.