Enterprises replacing ISP-provided resolvers with a trusted, validated resolution service
Resolver Based Solutions
Secure DNS Resolver
A hardened recursive DNS resolver with full DNSSEC validation, cache protection and access controls. Provides your organisation with a trusted resolution service that verifies the authenticity of every DNS response before delivering it to your users.
Key Capabilities
What this solution delivers
DNSSEC Validation
Every DNS response is validated against the DNSSEC chain of trust before being returned to the client. Spoofed, tampered or unsigned responses from signed zones are rejected, protecting your users from cache poisoning and DNS hijacking.
Hardened Infrastructure
The resolver runs on dedicated, security-hardened infrastructure with minimal attack surface. Recursive and authoritative functions are strictly separated as recommended by NIST SP 800-81r3. All unnecessary services are disabled.
Cache Protection
Measures against cache poisoning include source port randomisation, 0x20 encoding (mixed-case query randomisation), aggressive NSEC caching and strict bailiwick checking. These protections work alongside DNSSEC to provide defence in depth.
Low Latency Resolution
Intelligent caching, prefetching of expiring records and geographic proximity to your users ensure fast resolution times. Average query response times are typically under 10ms for cached records and under 50ms for uncached lookups.
Query Logging and Analytics
Optional query logging provides visibility into DNS usage patterns, enabling threat detection, policy enforcement and capacity planning. Logs are stored in accordance with GDPR and configurable retention policies.
Access Control
The resolver is restricted to authorised clients by IP range, network segment or authentication. This prevents open resolver abuse and ensures the service is only available to your users and systems.
Technical Details
How it works
DNSSEC Validation Process
When the resolver receives a response from an authoritative server for a DNSSEC-signed zone, it validates the cryptographic signatures (RRSIG records) using the public keys (DNSKEY records) published in the zone. It follows the chain of trust from the queried zone up through the parent zones to the root zone, verifying each link. If any signature is invalid, expired or missing, the response is rejected and the client receives a SERVFAIL error rather than potentially forged data.
Cache Poisoning Defences
Beyond DNSSEC validation, the resolver implements multiple layers of cache protection. Source port randomisation (RFC 5452) makes it harder for attackers to predict which port a query was sent from. The 0x20 encoding technique randomises the case of characters in the query name, adding entropy that an attacker must match. Aggressive NSEC caching (RFC 8198) uses authenticated denial-of-existence records to answer negative queries from cache, reducing exposure to attacks during the resolution process.
Performance Architecture
The resolver uses a multi-threaded architecture with connection pooling to upstream authoritative servers. Prefetching refreshes cached records before they expire, ensuring that frequently queried domains always receive a fast cached response. Geographic deployment close to your user base minimises round-trip time.
Monitoring and Alerting
Integration with MonitoNIC provides real-time visibility into resolver performance, cache hit rates, DNSSEC validation success rates and upstream query patterns. Alerts are raised for anomalies such as sudden increases in SERVFAIL responses, unusual query volumes or DNSSEC validation failures.
Use Cases
Who benefits from this solution
Organisations requiring DNSSEC validation to protect against DNS spoofing
Government and regulated entities needing auditable DNS resolution
Networks where DNS query integrity is a compliance requirement under NIS2
Frequently Asked Questions
Common questions about this solution
If the resolver cannot validate a DNSSEC-signed response, it returns a SERVFAIL error to the client rather than delivering potentially forged data. This is the correct and expected behaviour. The client application will typically retry or display an error, but it will not be directed to a spoofed destination. The resolver logs all validation failures for investigation.
Public resolvers are shared infrastructure serving billions of queries. Sokomi’s Secure Resolver is a dedicated service for your organisation, deployed within or near your network, with your access controls, your logging policies and your compliance requirements. You retain full control over the resolver’s configuration, query logs and security policies. There is no sharing of query data with third parties.
Yes, and this is a recommended deployment. The Secure Resolver provides DNSSEC validation and cache protection, while the DNS Firewall adds threat intelligence-based filtering using Response Policy Zones. Together they provide both authentication of legitimate responses and blocking of known malicious domains.
Trusted DNS resolution for your organisation
Talk to our team about deploying a dedicated Secure Resolver that validates every DNS response and protects your users from spoofing attacks.