As you know, the Domain Name System (DNS) infrastructure is the soul of pretty much everything on the Internet. There’s no web hosting, e-mail or messaging services, etc., that can exist online without the DNS.
And being that important, yes, the DNS has its Achilles heel: security. Its focus is not there, and that makes it vulnerable. But don’t worry, DNSSEC already exists! A reliable choice to boost security!
What is DNSSEC?
DNSSEC or Domain Name System Security Extensions is a suite of extension specifications for encrypting DNS records sets and proving the original authoritative nameserver. It’s not about cryptographically signing DNS requests and answers but directly signing DNS data by their owner.
Then, if a criminal (man-in-the-middle) manages to snatch these DNS records, they will be unreadable due to the encryption.
DNSSEC serves for authentication, too, through digital signatures that use public-private key cryptography combinations. Each DNS zone owns its key pair (public/private).
A big DNSSEC advantage is it covers every domain’s level. From the very top, the root, all the way down to the hostname. It builds sort of a chain of trust all across the DNS tree. Every level up verifies the one below through the combined use of the public and private keys. If there’s a failure on one of the levels, the chain gets broken. Therefore data is considered unreliable.
Let’s try an example of the hierarchical digital authentication DNSSEC practices. Think about an exampledomain.net lookup. .Net nameserver authenticates the zone below, which is exampledomain.net.
DNSSEC DNS record types.
DNSSEC adds the following DNS records in order to enable signature validation.
DNSKEY. This record holds the public key that can verify RRSIG.
DS. It’s a delegation signer, and it contains the DNSKEY record’s hash and is put in the parent zone to verify the one under.
RRSIG. It holds the signature for the recordset.
NSEC, NSEC3. Used for denial-of-existence of a DNS record, and to link to the next secure record.
How does DNSSEC boost security?
DNSSEC boosts your security, providing you with the tools (suite) to ensure that DNS records are not altered. This strengthens your protection and decreases the chances for criminal attempts like DNS cache poisoning (DNS spoofing). When a criminal manages to alter DNS records on the fly, the client receives them and gets dragged to a different server controlled by the criminal.
Besides, DNSSEC allows you to authenticate the source of DNS data. By now, you should know about the frequency and different techniques criminals use to attack the DNS. This authentication feature is really significant. To have the certainty that data really belongs to the source they claim to be, meaning to the right authoritative name server, is gold. This reduces the chances of fake servers operating successfully.
If you activate DNSSEC, DNS recursive servers can authenticate data they work with really come from a legit source, so it’s reliable. Fake data will be discarded. And if by any chance the recursive can’t authenticate data, they won’t use them to keep the security. They will retry the authentication process to avoid the use of unreliable or forged data.
The use of DNSSEC to keep the DNS security is a good decision. Online risks and direct attacks to the DNS are not uncommon nowadays. Of course, DNSSEC costs, but you know that prevention always will be cheaper than the cost of fixing the unfortunate consequences of a criminal attack.