DNS and Digital Sovereignty
Sovereignty, adversarial risk, and technical exposure in DNS — and how CNX addresses each.
Control over DNS is control over access to your services. Whoever determines where your domain resolves determines who reaches your applications, whether your services are reachable at all, and where your users land when they believe they are coming to you.
Most security frameworks treat DNS as infrastructure. It is also a jurisdiction question, a sovereignty question, and a technical control question — and the three are connected. An institution can invest heavily in application security, authentication, and network perimeter controls while leaving the access control layer itself — DNS — under foreign jurisdiction, on a single reachable server, or unsigned and open to fabrication. When DNS fails or is manipulated, none of those downstream controls matter. The user never arrives.
For Cambodian financial institutions and government services, DNS control has three dimensions that require explicit answers: jurisdictional, sovereign, and technical. This page addresses each.
Sovereignty and jurisdiction
DNS operators are subject to the laws of the jurisdictions in which they operate. A DNS provider based in the United States, Singapore, or anywhere outside Cambodia is subject to foreign law. That government can compel the provider to modify, suppress, or redirect your DNS records — without notifying you, without Cambodian regulatory oversight, and with no obligation to inform NBC or any other Cambodian authority.
This is not an edge case. It is the standard legal exposure of any institution whose DNS is hosted outside Cambodia. The domain resolves correctly until, under circumstances the institution cannot observe in advance, it does not. The modification can be targeted at a specific record — an API endpoint, a payment gateway, a verification token — rather than the entire domain. It can be silent and precise.
NBC TCRMG requires institutions to document where their data flows, who has access to it, and under which legal framework that access is governed. DNS hosted outside Cambodia produces a structural gap in that evidence. The gap is architectural, not a matter of policy wording — no internal policy closes an external legal dependency.
CNX response: CNX DNS operates exclusively inside Cambodia, licensed by the Ministry of Post and Telecommunications. All DNS operations — query resolution, key signing, zone management — are subject to Cambodian legal process and Cambodian regulatory oversight. No foreign legal instrument reaches the infrastructure.
Adversarial risk
Authoritative DNS servers are a primary attack target because they must respond to any query — including queries from an attacker. The attack surface is structural and cannot be eliminated, only managed through architecture.
Volumetric attacks and amplification
In 2018, three successive DDoS waves targeted Cambodia's four major ISPs simultaneously. The third peaked at 400 Gbps and held for ten to twelve hours. DNS amplification was one of the primary attack vectors — a small forged query producing a large response, multiplied across thousands of sources. The attack demonstrated that Cambodia's DNS infrastructure, concentrated at a small number of reachable endpoints, was exploitable at scale.
In 2025, a Cambodian government domain came under a DNS flood. The authoritative server went offline at approximately 60,000 queries per second — not an exceptional attack by global standards, simply a script running until the server stopped responding. The domain was dark for the duration.
NXDOMAIN floods
A sustained attack pattern against authoritative nameservers is the NXDOMAIN flood: queries for names that do not exist, each requiring the server to generate and sign a denial-of-existence response. Unlike amplification, which can be rate-limited at the network, NXDOMAIN floods generate legitimate-looking query traffic that the server cannot refuse. CNX has tested DNS Shield infrastructure against sustained NXDOMAIN floods at millions of queries — the attack patterns modelled on observed regional incidents — as part of ongoing capacity validation.
Spoofing, hijacking, and cache poisoning
Without DNSSEC, a DNS response can be fabricated by any party with network access between a resolver and the authoritative server. Cache poisoning — injecting a forged record into a resolver's cache — can redirect users to attacker-controlled infrastructure silently, with no indication at the application layer. An unsigned domain is vulnerable for the duration its records are cached, across every resolver that has queried it.
CNX response: DNS Shield uses anycast to eliminate single points of failure — the same IP announced from multiple independent locations, with domestic nodes structurally unreachable from the public internet. International edge nodes act as regional traffic sinks, absorbing volumetric attacks at the geographic source before they can enter Cambodia. DNSSEC is enabled on every zone by default, using ECDSAP256SHA256 — the RECOMMENDED algorithm under RFC 8624 — making spoofing and cache poisoning cryptographically detectable. During any attack, Cambodian users continue to receive answers normally.
Technical risk
Single points of failure
A domain hosted on a single authoritative nameserver, or on a small number of servers in the same geographic or network location, has no resilience against hardware failure, network partition, or targeted attack. When the server is unreachable, the domain is unreachable. Recovery time depends entirely on the operator's ability to restore a functional nameserver — during which the domain is dark.
Zone incompleteness after recovery
When a DNS provider reconstructs a zone from a scan of publicly-reachable records rather than from an authoritative zone transfer, the reconstruction is necessarily incomplete. A scanner queries for common record types — A, AAAA, MX, NS — but has no way to discover records with unpredictable names: DKIM selectors, SPF policies, DMARC configuration, verification tokens, API endpoint definitions. After a recovery event, the domain may appear to function while the email authentication layer and application infrastructure records are missing. The failure is silent at the DNS level and only visible when emails begin to fail delivery or application verifications stop working.
International link dependency
Authoritative DNS hosted overseas requires an international round trip for every resolution from inside Cambodia. More critically, when international connectivity is disrupted — subsea cable faults have affected Southeast Asia multiple times — an overseas authoritative server becomes unreachable from Cambodia even when local servers are running and local users are present. Both sides of the connection are local; only the DNS is not.
Key management exposure
DNSSEC signing keys held in software, on general-purpose servers, or at a foreign provider are keys that can be extracted, compelled under foreign legal process, or lost in a recovery scenario. A key that an attacker can obtain is a key that can be used to forge DNSSEC-signed responses — defeating the protection DNSSEC is meant to provide. Key rollover managed manually introduces maintenance windows during which DNSSEC validation can fail silently if the rollover is not completed correctly.
Carrier resolver dependency
Authoritative DNS governs where your domain resolves. Recursive DNS governs how your users' queries travel to reach that answer. In Cambodia, carrier-assigned resolvers typically point to overseas infrastructure. A financial application with servers and authoritative DNS both inside Cambodia can still have its query path routed overseas for recursive resolution — placing query metadata outside Cambodian jurisdiction and adding latency in both directions.
CNX response: DNS Shield runs across multiple independent domestic nodes with no single point of failure. Every node holds a complete, cryptographically-signed copy of your zone — received by authenticated zone transfer, not reconstructed by scanning. Signing keys are generated and stored in hardware security modules inside Cambodia, non-exportable by hardware design, with automated rollover and full audit logging. For applications requiring end-to-end sovereign transaction paths — including DNS resolution for all protected calls — see Zero Trust Access.