{"id":65,"date":"2026-07-01T22:09:02","date_gmt":"2026-07-01T19:09:02","guid":{"rendered":"https:\/\/secradar.net\/blog\/dnssec-nedir-dns-guvenligi\/"},"modified":"2026-07-01T22:09:02","modified_gmt":"2026-07-01T19:09:02","slug":"dnssec-nedir-dns-guvenligi","status":"publish","type":"post","link":"https:\/\/secradar.net\/blog\/dnssec-nedir-dns-guvenligi\/","title":{"rendered":"DNSSEC Nedir? DNS G\u00fcvenli\u011fi ve Cache Poisoning&#8217;e Kar\u015f\u0131 Koruma"},"content":{"rendered":"<p><strong>DNSSEC (DNS Security Extensions)<\/strong>, DNS yan\u0131tlar\u0131n\u0131 dijital imzayla do\u011frulayarak, ald\u0131\u011f\u0131n\u0131z DNS cevab\u0131n\u0131n ger\u00e7ekten yetkili sunucudan geldi\u011fini ve yolda de\u011fi\u015ftirilmedi\u011fini garanti eden bir g\u00fcvenlik katman\u0131d\u0131r. Klasik DNS&#8217;in en b\u00fcy\u00fck a\u00e7\u0131\u011f\u0131n\u0131 \u2014 yan\u0131tlar\u0131n imzas\u0131z ve sahtelenebilir olmas\u0131n\u0131 \u2014 kapat\u0131r.<\/p>\n<p>Bu yaz\u0131da DNS&#8217;in neden g\u00fcvensiz oldu\u011funu, DNSSEC&#8217;in bunu nas\u0131l \u00e7\u00f6zd\u00fc\u011f\u00fcn\u00fc, hangi kay\u0131tlar\u0131 (DNSKEY, RRSIG, DS) kulland\u0131\u011f\u0131n\u0131 ve alan ad\u0131n\u0131zda DNSSEC&#8217;i nas\u0131l etkinle\u015ftirece\u011finizi ad\u0131m ad\u0131m ele al\u0131yoruz. Alan ad\u0131n\u0131z\u0131n DNSSEC durumunu <a href=\"https:\/\/secradar.net\/whois-sorgulama\">WHOIS Sorgulama<\/a> arac\u0131yla an\u0131nda kontrol edebilece\u011finizi de g\u00f6sterece\u011fiz.<\/p>\n<h2>Klasik DNS Neden G\u00fcvensizdir?<\/h2>\n<p>DNS, alan adlar\u0131n\u0131 IP adreslerine \u00e7eviren internetin telefon rehberidir; nas\u0131l \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 <a href=\"https:\/\/secradar.net\/blog\/dns-kayit-tipleri-rehberi\">DNS kay\u0131t tipleri rehberimizde<\/a> ve <a href=\"https:\/\/secradar.net\/blog\/dns-cozumleme-nasil-calisir-dns-trace\">DNS \u00e7\u00f6z\u00fcmleme yaz\u0131m\u0131zda<\/a> ele alm\u0131\u015ft\u0131k. Sorun \u015fu: klasik DNS 1980&#8217;lerde tasarland\u0131 ve yan\u0131tlar\u0131 <strong>imzalanmaz<\/strong>. Bir resolver bir alan ad\u0131 sordu\u011funda, d\u00f6nen cevab\u0131n ger\u00e7ekten yetkili sunucudan gelip gelmedi\u011fini kriptografik olarak do\u011frulayamaz.<\/p>\n<p>Bu a\u00e7\u0131k, <strong>DNS cache poisoning (\u00f6nbellek zehirlenmesi)<\/strong> sald\u0131r\u0131s\u0131na kap\u0131 aralar: sald\u0131rgan, resolver&#8217;a sahte bir DNS yan\u0131t\u0131 enjekte ederek belirli bir alan ad\u0131n\u0131 kendi kontrol\u00fcndeki bir IP&#8217;ye y\u00f6nlendirebilir. Kurban <code>bankam.com<\/code> yazar, adres \u00e7ubu\u011fu do\u011fru g\u00f6r\u00fcn\u00fcr ama asl\u0131nda sald\u0131rgan\u0131n sunucusuna gider. Bu, oltalama ve ortadaki-adam (MITM) sald\u0131r\u0131lar\u0131n\u0131n \u00e7ok g\u00fc\u00e7l\u00fc bir bi\u00e7imidir.<\/p>\n<h2>DNSSEC Bu Sorunu Nas\u0131l \u00c7\u00f6zer?<\/h2>\n<p>DNSSEC, her DNS yan\u0131t\u0131na bir <strong>dijital imza<\/strong> ekler. Alan ad\u0131 sahibi kay\u0131tlar\u0131n\u0131 \u00f6zel anahtar\u0131yla imzalar; resolver ise kar\u015f\u0131l\u0131k gelen genel anahtarla bu imzay\u0131 do\u011frular. \u0130mza tutuyorsa yan\u0131t ger\u00e7ek ve de\u011fi\u015ftirilmemi\u015ftir; tutmuyorsa resolver yan\u0131t\u0131 reddeder.<\/p>\n<p>Kritik nokta \u015fudur: DNSSEC bir <strong>g\u00fcven zinciri<\/strong> olu\u015fturur. K\u00f6k b\u00f6lge (root), TLD&#8217;yi (\u00f6rn. .com) imzalar; TLD, sizin alan ad\u0131n\u0131z\u0131n anahtar\u0131n\u0131 imzalar; siz de kendi kay\u0131tlar\u0131n\u0131z\u0131 imzalars\u0131n\u0131z. Bu zincir, k\u00f6kten alan ad\u0131n\u0131za kadar kesintisiz uzan\u0131r \u2014 t\u0131pk\u0131 SSL sertifikalar\u0131ndaki g\u00fcven zinciri gibi. Zincirin her halkas\u0131 bir \u00fcstteki taraf\u0131ndan do\u011frulan\u0131r.<\/p>\n<p>\u00d6nemli bir ayr\u0131m: <strong>DNSSEC gizlilik sa\u011flamaz.<\/strong> DNS trafi\u011fini \u015fifrelemez, yaln\u0131zca <em>b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc ve do\u011frulu\u011funu<\/em> garanti eder. Trafi\u011fi \u015fifrelemek (gizlilik) i\u00e7in <a href=\"https:\/\/secradar.net\/blog\/sifreli-dns-doh-dot-nedir\">DoH\/DoT (\u015eifreli DNS)<\/a> kullan\u0131l\u0131r. \u0130kisi farkl\u0131 ama\u00e7lara hizmet eder ve birlikte kullan\u0131labilir: DoH\/DoT &#8220;kimse dinlemesin&#8221;, DNSSEC &#8220;kimse kand\u0131rmas\u0131n&#8221; der.<\/p>\n<h2>DNSSEC Kay\u0131tlar\u0131: DNSKEY, RRSIG, DS ve NSEC<\/h2>\n<p>DNSSEC birka\u00e7 yeni kay\u0131t tipi ekler:<\/p>\n<ul>\n<li><strong>DNSKEY<\/strong> \u2014 Alan ad\u0131n\u0131z\u0131n imza do\u011frulamas\u0131 i\u00e7in kullan\u0131lan genel anahtar\u0131n\u0131 tutar. \u0130ki t\u00fcr anahtar vard\u0131r: ZSK (Zone Signing Key) kay\u0131tlar\u0131 imzalar, KSK (Key Signing Key) ise DNSKEY setini imzalar.<\/li>\n<li><strong>RRSIG<\/strong> \u2014 Her kay\u0131t k\u00fcmesinin (A, MX, TXT vb.) dijital imzas\u0131d\u0131r. Resolver, kayd\u0131 ve RRSIG&#8217;i birlikte al\u0131p DNSKEY ile do\u011frular.<\/li>\n<li><strong>DS (Delegation Signer)<\/strong> \u2014 \u00dcst b\u00f6lgeye (TLD\/registry) konulan, sizin KSK&#8217;nizin \u00f6zetidir (hash). G\u00fcven zincirini kuran halka budur: TLD, sizin anahtar\u0131n\u0131za DS kayd\u0131yla &#8220;g\u00fcveniyorum&#8221; der.<\/li>\n<li><strong>NSEC \/ NSEC3<\/strong> \u2014 Bir kayd\u0131n ger\u00e7ekten <em>var olmad\u0131\u011f\u0131n\u0131<\/em> kan\u0131tlar (authenticated denial of existence). Sahte &#8220;kay\u0131t yok&#8221; yan\u0131tlar\u0131n\u0131 engeller.<\/li>\n<\/ul>\n<p>Pratikte en kritik ad\u0131m, DNS sa\u011flay\u0131c\u0131n\u0131z\u0131n \u00fcretti\u011fi <strong>DS kayd\u0131n\u0131 registrar&#8217;a (alan ad\u0131 firman\u0131za) eklemektir<\/strong>; g\u00fcven zinciri ancak o zaman tamamlan\u0131r.<\/p>\n<h2>DNSSEC Nas\u0131l Etkinle\u015ftirilir?<\/h2>\n<p>S\u00fcre\u00e7 sa\u011flay\u0131c\u0131ya g\u00f6re de\u011fi\u015fse de temel ad\u0131mlar \u015funlard\u0131r:<\/p>\n<ol>\n<li><strong>DNS sa\u011flay\u0131c\u0131n\u0131zda DNSSEC&#8217;i a\u00e7\u0131n.<\/strong> Cloudflare, Route 53, Google Cloud DNS ve \u00e7o\u011fu modern panelde tek t\u0131kla imzalama (zone signing) yap\u0131l\u0131r; sa\u011flay\u0131c\u0131 DNSKEY ve RRSIG kay\u0131tlar\u0131n\u0131 otomatik \u00fcretir.<\/li>\n<li><strong>DS kayd\u0131n\u0131 al\u0131n.<\/strong> Sa\u011flay\u0131c\u0131 size bir DS kayd\u0131 (key tag, algoritma, digest tipi ve digest de\u011feri) verir.<\/li>\n<li><strong>DS kayd\u0131n\u0131 registrar&#8217;a girin.<\/strong> Alan ad\u0131n\u0131z\u0131 tescil etti\u011finiz firman\u0131n panelinde &#8220;DNSSEC&#8221; b\u00f6l\u00fcm\u00fcne bu DS kayd\u0131n\u0131 ekleyin. Bu, TLD&#8217;ye &#8220;benim anahtar\u0131ma g\u00fcven&#8221; demektir.<\/li>\n<li><strong>Do\u011frulay\u0131n.<\/strong> Yay\u0131l\u0131m (birka\u00e7 saat) sonras\u0131 g\u00fcven zincirinin kuruldu\u011funu kontrol edin.<\/li>\n<\/ol>\n<p><strong>Dikkat:<\/strong> DNS sa\u011flay\u0131c\u0131n\u0131z\u0131 de\u011fi\u015ftirirken veya anahtar d\u00f6nd\u00fcr\u00fcrken (key rollover) DS kayd\u0131n\u0131 do\u011fru s\u0131rayla g\u00fcncellemezseniz, alan ad\u0131n\u0131z DNSSEC do\u011frulayan resolver&#8217;larda tamamen <strong>\u00e7\u00f6z\u00fcmlenemez<\/strong> h\u00e2le gelir (SERVFAIL) \u2014 yani site eri\u015filemez olur. Bu y\u00fczden sa\u011flay\u0131c\u0131 ge\u00e7i\u015flerini planl\u0131 yap\u0131n.<\/p>\n<h2>DNSSEC Durumunu Nas\u0131l Kontrol Edersiniz?<\/h2>\n<p>Alan ad\u0131n\u0131zda DNSSEC&#8217;in etkin olup olmad\u0131\u011f\u0131n\u0131 g\u00f6rmek kolayd\u0131r:<\/p>\n<ul>\n<li><a href=\"https:\/\/secradar.net\/whois-sorgulama\">WHOIS Sorgulama<\/a> \u2014 Alan ad\u0131 sorgusunda DNSSEC&#8217;in imzal\u0131 (signed) olup olmad\u0131\u011f\u0131 g\u00f6sterilir; registrar taraf\u0131ndaki DS delegasyonunu yans\u0131t\u0131r.<\/li>\n<li><a href=\"https:\/\/secradar.net\/dns-sorgulama\">DNS Sorgulama<\/a> \u2014 Alan ad\u0131n\u0131z\u0131n DNS kay\u0131tlar\u0131n\u0131 ve yap\u0131land\u0131rmas\u0131n\u0131 inceleyin.<\/li>\n<li><a href=\"https:\/\/secradar.net\/dns-trace\">DNS Trace<\/a> \u2014 \u00c7\u00f6z\u00fcmleme zincirini k\u00f6kten yetkiliye ad\u0131m ad\u0131m izleyerek delegasyonun sa\u011fl\u0131kl\u0131 oldu\u011funu do\u011frulay\u0131n.<\/li>\n<\/ul>\n<p>Komut sat\u0131r\u0131nda ise <code>dig +dnssec example.com<\/code> ile RRSIG kay\u0131tlar\u0131n\u0131, <code>dig DS example.com<\/code> ile de \u00fcst b\u00f6lgedeki DS kayd\u0131n\u0131 g\u00f6rebilirsiniz.<\/p>\n<h2>DNSSEC&#8217;in S\u0131n\u0131rlar\u0131 ve Yayg\u0131n Yan\u0131lg\u0131lar<\/h2>\n<ul>\n<li><strong>Gizlilik sa\u011flamaz:<\/strong> Yukar\u0131da belirtti\u011fimiz gibi trafi\u011fi \u015fifrelemez; bunun i\u00e7in DoH\/DoT gerekir.<\/li>\n<li><strong>Sunucu g\u00fcvenli\u011fini sa\u011flamaz:<\/strong> DNSSEC yaln\u0131zca DNS yan\u0131t\u0131n\u0131n do\u011frulu\u011funu garanti eder; hedef sunucunun kendisi ele ge\u00e7irilmi\u015fse koruma sa\u011flamaz.<\/li>\n<li><strong>Uygulama karma\u015f\u0131kt\u0131r:<\/strong> Yanl\u0131\u015f anahtar y\u00f6netimi siteyi tamamen eri\u015filemez yapabilir; bu, DNSSEC&#8217;in yava\u015f yay\u0131lmas\u0131n\u0131n ba\u015fl\u0131ca sebebidir.<\/li>\n<li><strong>Her yerde do\u011frulanmaz:<\/strong> DNSSEC korumas\u0131, kullan\u0131c\u0131n\u0131n resolver&#8217;\u0131n\u0131n da DNSSEC do\u011frulamas\u0131 yapmas\u0131na ba\u011fl\u0131d\u0131r (b\u00fcy\u00fck halka a\u00e7\u0131k resolver&#8217;lar yapar).<\/li>\n<\/ul>\n<h2>\u00d6zetle<\/h2>\n<p>DNSSEC, klasik DNS&#8217;in imzas\u0131z yap\u0131s\u0131ndan kaynaklanan cache poisoning ve DNS sahtecili\u011fi a\u00e7\u0131klar\u0131n\u0131 kapatan g\u00fc\u00e7l\u00fc bir g\u00fcvenlik katman\u0131d\u0131r. Alan ad\u0131n\u0131z i\u00e7in etkinle\u015ftirmek, ziyaret\u00e7ilerinizi sahte y\u00f6nlendirmelere kar\u015f\u0131 korur ve markan\u0131z\u0131n b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc g\u00fc\u00e7lendirir. Ancak anahtar y\u00f6netimi titizlik ister; sa\u011flay\u0131c\u0131 ge\u00e7i\u015flerinde DS kayd\u0131n\u0131 do\u011fru y\u00f6netin.<\/p>\n<p>DNSSEC ve DNS yap\u0131land\u0131rman\u0131z\u0131 <a href=\"https:\/\/secradar.net\/whois-sorgulama\">WHOIS<\/a>, <a href=\"https:\/\/secradar.net\/dns-sorgulama\">DNS Sorgulama<\/a> ve <a href=\"https:\/\/secradar.net\/dns-trace\">DNS Trace<\/a> ara\u00e7lar\u0131m\u0131zla denetleyebilirsiniz. G\u00fcvenilir DNS ve alan ad\u0131 hizmetleri i\u00e7in <a href=\"https:\/\/www.ihs.com.tr\/\" target=\"_blank\" rel=\"noopener\">\u0130HS Telekom<\/a>&#8216;u inceleyebilirsiniz.<\/p>\n<div style=\"background:#eef2ff;border:1px solid #c7d2fe;border-radius:12px;padding:16px;margin-top:24px\"><b>DNS ve alan ad\u0131 g\u00fcvenli\u011finizi s\u00fcrekli izleyin.<\/b> <a href=\"https:\/\/secradar.net\/register\">SecRadar&#8217;a \u00fccretsiz \u00fcye olun<\/a>; DNS kay\u0131tlar\u0131n\u0131z, NS sunucular\u0131n\u0131z veya SSL sertifikan\u0131z de\u011fi\u015fti\u011finde Telegram ya da e-posta ile an\u0131nda uyar\u0131 al\u0131n.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>DNSSEC (DNS Security Extensions), DNS yan\u0131tlar\u0131n\u0131 dijital imzayla do\u011frulayarak, ald\u0131\u011f\u0131n\u0131z DNS cevab\u0131n\u0131n ger\u00e7ekten yetkili sunucudan geldi\u011fini ve yolda de\u011fi\u015ftirilmedi\u011fini garanti eden bir g\u00fcvenlik katman\u0131d\u0131r. Klasik DNS&#8217;in en b\u00fcy\u00fck a\u00e7\u0131\u011f\u0131n\u0131 \u2014 yan\u0131tlar\u0131n imzas\u0131z ve sahtelenebilir olmas\u0131n\u0131 \u2014 kapat\u0131r. Bu yaz\u0131da DNS&#8217;in neden g\u00fcvensiz oldu\u011funu, DNSSEC&#8217;in bunu nas\u0131l \u00e7\u00f6zd\u00fc\u011f\u00fcn\u00fc, hangi kay\u0131tlar\u0131 (DNSKEY, RRSIG, DS) kulland\u0131\u011f\u0131n\u0131 ve alan &#8230; <a title=\"DNSSEC Nedir? DNS G\u00fcvenli\u011fi ve Cache Poisoning&#8217;e Kar\u015f\u0131 Koruma\" class=\"read-more\" href=\"https:\/\/secradar.net\/blog\/dnssec-nedir-dns-guvenligi\/\" aria-label=\"Read more about DNSSEC Nedir? DNS G\u00fcvenli\u011fi ve Cache Poisoning&#8217;e Kar\u015f\u0131 Koruma\">Devam\u0131n\u0131 oku<\/a><\/p>\n","protected":false},"author":0,"featured_media":64,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-65","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-dns"],"_links":{"self":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/posts\/65","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/comments?post=65"}],"version-history":[{"count":0,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/posts\/65\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/media\/64"}],"wp:attachment":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/media?parent=65"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/categories?post=65"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/tags?post=65"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}