DNS Bezbednost — SPF, DMARC, DNSSEC vodic

Objavljeno: 8. april 2026. · Vreme citanja: 15 min

Sadrzaj

  1. Kako DNS radi
  2. DNS napadi
  3. Kaminsky napad (2008)
  4. SPF — Sender Policy Framework
  5. DMARC konfiguracija
  6. DNSSEC — DNS Security Extensions
  7. Cesto postavljana pitanja
  8. Reference
~5%
Domena sa DNSSEC-om (APNIC)
91%
Sajber napada pocinje email-om (Verizon DBIR)
3.4B
Phishing email-ova dnevno (Radicati)
80%
Domena bez DMARC-a (Agari)

1. Kako DNS radi

DNS (Domain Name System) je sistem koji prevodi ljudski citljive domene (npr. google.com) u IP adrese (npr. 142.250.185.78) koje racunari koriste za komunikaciju. Cesto se naziva "telefonski imenik interneta".

DNS hijerarhija

DNS koristi hijerarhijsku strukturu sa cetiri nivoa:

  1. DNS Resolver (Recursive) — vas ISP ili javni resolver (8.8.8.8, 1.1.1.1) koji prima vase upite i trazi odgovore
  2. Root serveri — 13 root server klastera (a.root-servers.net do m.root-servers.net) koji usmeravaju ka TLD serverima
  3. TLD serveri — serveri za top-level domene (.com, .rs, .org) koji znaju gde su autoritativni serveri za svaki domen
  4. Autoritativni DNS serveri — krajnji serveri koji cuvaju stvarne DNS zapise za domen (A, AAAA, MX, TXT, CNAME itd.)

DNS upit korak po korak

Korisnik ukucava: www.primer.rs
  |
  v
1. Browser proverava lokalni kes
2. OS proverava hosts fajl i lokalni DNS kes
3. Salje upit ka DNS resolver-u (npr. 8.8.8.8)
4. Resolver pita root server: "Gde je .rs?"
5. Root odgovara: "Pitaj ns1.rnids.rs"
6. Resolver pita TLD server: "Gde je primer.rs?"
7. TLD odgovara: "Pitaj ns1.primer.rs"
8. Resolver pita autoritativni server: "Koja je IP za www.primer.rs?"
9. Autoritativni odgovara: "93.87.x.x"
10. Resolver kesira odgovor i vraca ga browseru

2. DNS napadi

DNS Cache Poisoning

Napadac ubacuje lazne DNS zapise u kes resolver-a, tako da svi korisnici tog resolver-a budu preusmereni na maliciozni server. Na primer, napadac moze preusmeriti banka.rs na svoj server sa laznom kopijom bankovnog sajta.

Opasnost: Kod cache poisoning-a, korisnik u browser-u vidi ispravan domen (banka.rs), ali je zapravo na napadacevom serveru. Bez HTTPS-a sa validnim sertifikatom, korisnik nema nacin da primeti prevaru.

DNS Spoofing

Slicno cache poisoning-u, ali napadac presrece DNS upit direktno (npr. na istoj mrezi putem ARP spoofing-a) i vraca lazni odgovor pre nego sto legitimni server stigne da odgovori.

DNS Hijacking

Napadac preuzima kontrolu nad DNS zapisima domena — ili kompromitovanjem DNS provajdera, ili kradejom pristupa registraru domena. Ovo je najopasniji tip jer napadac ima punu kontrolu.

Poznati primer: 2019. godine, kampanja "Sea Turtle" je kompromitovala DNS registrare u Bliskom istoku i Severnoj Africi, preusmeravajuci email i web saobracaj vladnih organizacija.

Izvor: Cisco Talos Intelligence, "Sea Turtle" DNS Hijacking Campaign, 2019

3. Kaminsky napad (2008)

U julu 2008. godine, istrazivac bezbednosti Dan Kaminsky je javno objavio fundamentalnu ranjivost u DNS protokolu. Ova ranjivost je omogucavala napadacu da otruje kes bilo kog DNS resolver-a u roku od samo 10 sekundi.

Problem je bio u tome sto je DNS koristio predvidljive Transaction ID-jeve (samo 16 bita, tj. 65,536 mogucnosti). Kaminsky je pokazao da napadac moze poslati hiljade laznih odgovora sa razlicitim Transaction ID-jevima i statisticki pogoditi ispravan ID pre nego sto legitimni odgovor stigne.

Uticaj: Ova ranjivost je zahtevala hitno koordinisano azuriranje DNS softvera sirom sveta. Patch je dodao randomizaciju izvornog porta (source port randomization), povecavajuci entropiju sa 16 na ~32 bita.

Izvor: "An Illustrated Guide to the Kaminsky DNS Vulnerability", unixwiz.net, 2008

4. SPF — Sender Policy Framework

SPF (definisan u RFC 7208) je DNS TXT zapis koji specificira koji mail serveri su ovlasceni da salju email u ime vaseg domena. Kada primalac dobije email sa vaseg domena, proverava SPF zapis i odbija email ako nije dosao sa ovlascenog servera.

Kako konfigurisati SPF

# Osnovni SPF zapis — dozvolite samo vasim MX serverima
v=spf1 mx -all

# SPF sa specificnim IP adresama
v=spf1 ip4:93.87.12.34 ip4:93.87.12.35 -all

# SPF sa ukljucenim provajderima (Google Workspace + Mailchimp)
v=spf1 include:_spf.google.com include:servers.mcsv.net -all

# Objasnjenje mehanizama:
# v=spf1     — verzija SPF-a
# ip4:       — dozvoli IP adresu
# include:   — ukljuci SPF drugog domena
# mx         — dozvoli MX serverima domena
# a          — dozvoli A zapisu domena
# -all       — ODBIJ sve ostalo (hard fail)
# ~all       — oznaci sve ostalo kao sumnjivo (soft fail)
Preporuka: Uvek koristite -all (hard fail) umesto ~all (soft fail). Soft fail samo oznacava email kao sumnjiv, ali ga ne odbija, sto smanjuje efikasnost zastite.

SPF ogranicenja

  • Maksimalno 10 DNS lookup-ova po SPF zapisu (include, a, mx se racunaju)
  • SPF ne stiti "From" header koji korisnik vidi — stiti samo envelope sender
  • SPF puca kod prosledjivanja email-a (forwarding) jer se IP menja

5. DMARC — Domain-based Message Authentication

DMARC (definisan u RFC 7489) je nadogradnja na SPF i DKIM. On kaze primajucem serveru sta da radi ako email ne prodje SPF/DKIM proveru, i omogucava primanje izvestaja o neuskladjenim email-ovima.

DMARC politike

PolitikaAkcijaKada koristiti
p=noneSamo prati i izvestavaPocetna faza — ucite ko salje email u vase ime
p=quarantineStavi u spam folderPrelazna faza — testiranje pre pune zastite
p=rejectOdbij email potpunoPuna zastita — nakon sto ste sigurni da su SPF/DKIM ispravni

Primer DMARC zapisa

# DNS TXT zapis za _dmarc.vasdomen.rs
v=DMARC1; p=reject; rua=mailto:dmarc-reports@vasdomen.rs;
  ruf=mailto:dmarc-forensic@vasdomen.rs; adkim=s; aspf=s; pct=100

# Objasnjenje:
# v=DMARC1  — verzija
# p=reject  — odbij neuskladjene email-ove
# rua=      — adresa za agregirane izvestaje (dnevne)
# ruf=      — adresa za forenzicke izvestaje (per-email)
# adkim=s   — striktno DKIM poravnanje
# aspf=s    — striktno SPF poravnanje
# pct=100   — primeni na 100% email-ova
Vazno: Nemojte odmah postaviti p=reject. Pocnite sa p=none i pratite izvestaje 2-4 nedelje da biste identifikovali legitimne servise koji salju email u vase ime (marketing platforme, CRM, itd.).

6. DNSSEC — DNS Security Extensions

DNSSEC (definisan u RFC 4033, 4034, 4035) dodaje kriptografski potpis DNS odgovorima. Ovo omogucava resolver-u da verifikuje da odgovor zaista dolazi od autoritativnog servera i da nije modifikovan u prenosu.

Kako DNSSEC radi

  1. DNSKEY zapis — autoritativni server objavljuje svoj javni kljuc
  2. RRSIG zapis — svaki DNS zapis je potpisan privatnim kljucem
  3. DS zapis — hash javnog kljuca se registruje kod roditeljske zone (chain of trust)
  4. Resolver proverava potpis koristeci javni kljuc iz DNSKEY zapisa
# Provera DNSSEC statusa domena
$ dig +dnssec primer.rs
;; flags: qr rd ra ad;   # "ad" flag = Authentic Data (DNSSEC validan)

# Prikaz DNSKEY zapisa
$ dig DNSKEY primer.rs +short
256 3 8 AwEAAd...   # ZSK (Zone Signing Key)
257 3 8 AwEAAc...   # KSK (Key Signing Key)

# Prikaz RRSIG potpisa
$ dig A primer.rs +dnssec
primer.rs. 300 IN A 93.87.12.34
primer.rs. 300 IN RRSIG A 8 2 300 20260501 20260401 12345 primer.rs. abc123...

Zasto je DNSSEC vazan?

Bez DNSSEC-a, ne postoji nacin da se verifikuje autenticnost DNS odgovora. Napadac koji uspesno izvrsi cache poisoning moze preusmeriti korisnika na maliciozni sajt, a korisnik (i resolver) nece imati nacin da to primete.

Statistika: Prema APNIC merenjima, samo oko 5% globalnih domena ima potpuno implementiran DNSSEC. U Evropi je procenat veci zahvaljujuci registrima poput .nl (Holandija) sa preko 50% DNSSEC pokrivenosti, dok .se (Svedska) ima oko 35%.

7. Cesto postavljana pitanja

P: Da li mi treba i SPF i DMARC?
O: Da. SPF sam po sebi ne stiti "From" header koji korisnik vidi. DMARC povezuje SPF (i DKIM) sa vidljivim "From" headerom i definise politiku za neuskladjene email-ove.
P: Sta ako imam vise servisa koji salju email (Google, Mailchimp, Salesforce)?
O: Dodajte include: za svaki servis u SPF zapis. Pazite na limit od 10 DNS lookup-ova. Za veci broj servisa, koristite SPF flattening alate.
P: Da li DNSSEC stiti od DDoS-a?
O: Ne. DNSSEC stiti integritet i autenticnost DNS odgovora, ali ne stiti od uskracivanja usluge. Za DNS DDoS zastitu koristite Anycast DNS mreze (Cloudflare, AWS Route 53, itd.).

8. Reference

Skenirajte svoj sajt besplatno →

DNS Security — SPF, DMARC, DNSSEC Guide

Published: April 8, 2026 · Reading time: 15 min

Table of Contents

  1. How DNS works
  2. DNS attacks
  3. Kaminsky attack (2008)
  4. SPF — Sender Policy Framework
  5. DMARC configuration
  6. DNSSEC — DNS Security Extensions
  7. Frequently asked questions
  8. References
~5%
Domains with DNSSEC (APNIC)
91%
Cyberattacks start with email (Verizon DBIR)
3.4B
Phishing emails per day (Radicati)
80%
Domains without DMARC (Agari)

1. How DNS works

DNS (Domain Name System) is the system that translates human-readable domain names (e.g., google.com) into IP addresses (e.g., 142.250.185.78) that computers use to communicate. It is often called the "phone book of the internet."

DNS hierarchy

DNS uses a hierarchical structure with four levels:

  1. DNS Resolver (Recursive) — your ISP or a public resolver (8.8.8.8, 1.1.1.1) that receives your queries and finds answers
  2. Root servers — 13 root server clusters (a.root-servers.net through m.root-servers.net) that direct to TLD servers
  3. TLD servers — servers for top-level domains (.com, .org, .net) that know where authoritative servers for each domain are
  4. Authoritative DNS servers — the final servers that store actual DNS records for the domain (A, AAAA, MX, TXT, CNAME, etc.)

DNS query step by step

User types: www.example.com
  |
  v
1. Browser checks local cache
2. OS checks hosts file and local DNS cache
3. Sends query to DNS resolver (e.g., 8.8.8.8)
4. Resolver asks root server: "Where is .com?"
5. Root responds: "Ask a.gtld-servers.net"
6. Resolver asks TLD server: "Where is example.com?"
7. Resolver asks authoritative server: "What's the IP for www.example.com?"
8. Authoritative responds: "93.184.216.34"
9. Resolver caches the response and returns it to the browser

2. DNS attacks

DNS Cache Poisoning

An attacker injects fake DNS records into a resolver's cache, causing all users of that resolver to be redirected to a malicious server. For example, an attacker could redirect bank.com to their own server hosting a fake copy of the banking site.

Danger: With cache poisoning, the user sees the correct domain (bank.com) in their browser, but is actually on the attacker's server. Without HTTPS with a valid certificate, the user has no way to detect the deception.

DNS Spoofing

Similar to cache poisoning, but the attacker intercepts DNS queries directly (e.g., on the same network via ARP spoofing) and returns a fake response before the legitimate server can respond.

DNS Hijacking

The attacker takes control of a domain's DNS records — either by compromising the DNS provider or by stealing access to the domain registrar. This is the most dangerous type because the attacker has full control.

Notable example: In 2019, the "Sea Turtle" campaign compromised DNS registrars in the Middle East and North Africa, redirecting email and web traffic of government organizations.

Source: Cisco Talos Intelligence, "Sea Turtle" DNS Hijacking Campaign, 2019

3. Kaminsky attack (2008)

In July 2008, security researcher Dan Kaminsky publicly disclosed a fundamental vulnerability in the DNS protocol. This vulnerability allowed an attacker to poison the cache of any DNS resolver within just 10 seconds.

The problem was that DNS used predictable Transaction IDs (only 16 bits, i.e., 65,536 possibilities). Kaminsky demonstrated that an attacker could send thousands of fake responses with different Transaction IDs and statistically guess the correct ID before the legitimate response arrived.

Impact: This vulnerability required urgent coordinated patching of DNS software worldwide. The patch added source port randomization, increasing entropy from 16 to ~32 bits.

Source: "An Illustrated Guide to the Kaminsky DNS Vulnerability", unixwiz.net, 2008

4. SPF — Sender Policy Framework

SPF (defined in RFC 7208) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. When a recipient gets an email from your domain, they check the SPF record and reject the email if it didn't come from an authorized server.

How to configure SPF

# Basic SPF record — allow only your MX servers
v=spf1 mx -all

# SPF with specific IP addresses
v=spf1 ip4:93.87.12.34 ip4:93.87.12.35 -all

# SPF with included providers (Google Workspace + Mailchimp)
v=spf1 include:_spf.google.com include:servers.mcsv.net -all

# Mechanism explanation:
# v=spf1     — SPF version
# ip4:       — allow IP address
# include:   — include another domain's SPF
# mx         — allow domain's MX servers
# a          — allow domain's A record
# -all       — REJECT everything else (hard fail)
# ~all       — mark everything else as suspicious (soft fail)
Recommendation: Always use -all (hard fail) instead of ~all (soft fail). Soft fail only marks the email as suspicious but does not reject it, reducing protection effectiveness.

SPF limitations

  • Maximum of 10 DNS lookups per SPF record (include, a, mx each count)
  • SPF does not protect the "From" header visible to the user — it only protects the envelope sender
  • SPF breaks with email forwarding because the IP changes

5. DMARC — Domain-based Message Authentication

DMARC (defined in RFC 7489) builds on SPF and DKIM. It tells the receiving server what to do if an email fails SPF/DKIM checks, and enables receiving reports about non-aligned emails.

DMARC policies

PolicyActionWhen to use
p=noneMonitor and report onlyInitial phase — learn who sends email on your behalf
p=quarantinePlace in spam folderTransition phase — testing before full protection
p=rejectReject the email entirelyFull protection — after confirming SPF/DKIM are correct

DMARC record example

# DNS TXT record for _dmarc.yourdomain.com
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com;
  ruf=mailto:dmarc-forensic@yourdomain.com; adkim=s; aspf=s; pct=100

# Explanation:
# v=DMARC1  — version
# p=reject  — reject non-aligned emails
# rua=      — address for aggregate reports (daily)
# ruf=      — address for forensic reports (per-email)
# adkim=s   — strict DKIM alignment
# aspf=s    — strict SPF alignment
# pct=100   — apply to 100% of emails
Important: Do not set p=reject immediately. Start with p=none and monitor reports for 2-4 weeks to identify legitimate services sending email on your behalf (marketing platforms, CRM, etc.).

6. DNSSEC — DNS Security Extensions

DNSSEC (defined in RFC 4033, 4034, 4035) adds cryptographic signatures to DNS responses. This allows a resolver to verify that a response genuinely came from the authoritative server and has not been modified in transit.

How DNSSEC works

  1. DNSKEY record — the authoritative server publishes its public key
  2. RRSIG record — each DNS record is signed with the private key
  3. DS record — a hash of the public key is registered at the parent zone (chain of trust)
  4. The resolver verifies the signature using the public key from the DNSKEY record
# Check DNSSEC status of a domain
$ dig +dnssec example.com
;; flags: qr rd ra ad;   # "ad" flag = Authentic Data (DNSSEC valid)

# Display DNSKEY records
$ dig DNSKEY example.com +short
256 3 8 AwEAAd...   # ZSK (Zone Signing Key)
257 3 8 AwEAAc...   # KSK (Key Signing Key)

# Display RRSIG signatures
$ dig A example.com +dnssec
example.com. 300 IN A 93.184.216.34
example.com. 300 IN RRSIG A 8 2 300 20260501 20260401 12345 example.com. abc123...

Why is DNSSEC important?

Without DNSSEC, there is no way to verify the authenticity of DNS responses. An attacker who successfully performs cache poisoning can redirect users to a malicious site, and neither the user nor the resolver can detect it.

Statistics: According to APNIC measurements, only about 5% of global domains have fully implemented DNSSEC. In Europe, the percentage is higher thanks to registries like .nl (Netherlands) with over 50% DNSSEC coverage, while .se (Sweden) has about 35%.

7. Frequently asked questions

Q: Do I need both SPF and DMARC?
A: Yes. SPF alone does not protect the "From" header that the user sees. DMARC links SPF (and DKIM) to the visible "From" header and defines a policy for non-aligned emails.
Q: What if I have multiple services sending email (Google, Mailchimp, Salesforce)?
A: Add an include: for each service in your SPF record. Be mindful of the 10 DNS lookup limit. For more services, use SPF flattening tools.
Q: Does DNSSEC protect against DDoS?
A: No. DNSSEC protects the integrity and authenticity of DNS responses but does not protect against denial of service. For DNS DDoS protection, use Anycast DNS networks (Cloudflare, AWS Route 53, etc.).

8. References

Scan your site for free →
SSL/TLS vodicSSL/TLS Guide HTTP Security HeadersHTTP Security Headers XSS napadiXSS Attacks SQL InjectionSQL Injection CSRF napadiCSRF Attacks Port skeniranjePort Scanning API bezbednostAPI Security