diff --git a/src/registrar/config/settings.py b/src/registrar/config/settings.py
index f85143ea89..68a07da11b 100644
--- a/src/registrar/config/settings.py
+++ b/src/registrar/config/settings.py
@@ -136,6 +136,8 @@
     "allow_cidr.middleware.AllowCIDRMiddleware",
     # django-cors-headers: listen to cors responses
     "corsheaders.middleware.CorsMiddleware",
+    # custom middleware to stop caching from CloudFront
+    "registrar.no_cache_middleware.NoCacheMiddleware",
     # serve static assets in production
     "whitenoise.middleware.WhiteNoiseMiddleware",
     # provide security enhancements to the request/response cycle
diff --git a/src/registrar/no_cache_middleware.py b/src/registrar/no_cache_middleware.py
new file mode 100644
index 0000000000..6f509b9d6b
--- /dev/null
+++ b/src/registrar/no_cache_middleware.py
@@ -0,0 +1,18 @@
+"""Middleware to add Cache-control: no-cache to every response.
+
+Used to force Cloudfront caching to leave us alone while we develop
+better caching responses.
+"""
+
+
+class NoCacheMiddleware:
+
+    """Middleware to add a single header to every response."""
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+        response["Cache-Control"] = "no-cache"
+        return response
diff --git a/src/zap.conf b/src/zap.conf
index b4e037ae4a..61b3c1886f 100644
--- a/src/zap.conf
+++ b/src/zap.conf
@@ -62,6 +62,9 @@
 10038	OUTOFSCOPE	http://app:8080/delete
 10038	OUTOFSCOPE	http://app:8080/withdraw 
 10038	OUTOFSCOPE	http://app:8080/withdrawconfirmed 
+10038	OUTOFSCOPE	http://app:8080/dns
+10038	OUTOFSCOPE	http://app:8080/dnssec
+10038	OUTOFSCOPE	http://app:8080/dns/dnssec
 # This URL always returns 404, so include it as well.
 10038	OUTOFSCOPE	http://app:8080/todo
 # OIDC isn't configured in the test environment and DEBUG=True so this gives a 500 without CSP headers