What is DNSSEC & How Does it Works?

by | Mar 16, 2021 | Web Security

what is dnssec how it works

DNS Isn’t Designed for Security. Due to This, DNSSEC Was Developed for Preventing Online Attacks

We are sure you know the meaning of a domain name. And, if you’re interested in learning about DNSSEC, then you might know what DNS is as well. For those who don’t, we are going to take you through a quick DNS refresher and look at what DNSSEC is.

What Is DNS?

DNS (Domain Name Server) is a type of protocol that allows Internet users to discover websites in a human-friendly way. DNS (Domain Name System) is similar to the internet’s phonebook. Users can access any website by entering human-friendly domain names in the web browser. The web browser further translates it into IP (Internet Protocol) addresses to open that website.

The internet doesn’t work the way we humans do, so to overcome this barrier, these registered domain names are further translated into a language that the internet can understand with the help of DNS. For instance, DNS takes the responsibility of translating domain names such as www.websitesecuritystore.com into a numeric IP address. This translation is done within a DNS server where all the information of the domain is stored.

Basic Understanding of How DNS Works

As mentioned earlier, DNS is often called the internet’s phonebook because of its ability to find IP addresses (which are like the home addresses of the internet). And DNS translation happens in different steps, starting from the root Zone (also called the top level of directory service).
For example, whenever someone enters any domain name in the browser, such as www.websitesecuritystore.com.

  • DNS resolver asks the root Zone (directory) to look for the directory called “.com.”
  • Once the “.com” directory is found, the resolver will ask the directory “.com” where to look for the directory “websitesecuritystore.com.”
  • Finally, it’ll ask the directory “websitesecuritystore.com,” where it’ll get the full IP address that’s requested, which is of “www.websitesecuritystore.com.”
what is dns
However, increased usage of websites (Domains) has also opened the gateways for bad actors to take advantage of this infrastructure. Among many types of cyber-attacks, interception of the domain’s IP lookup and redirecting the user to a malicious website is also increasing.

DNS isn’t designed with security in mind, and DNS itself isn’t secure. DNS often becomes vulnerable to online attacks. And due to this, hackers can perform DNS hijacking on any of the steps mentioned above. Fortunately, to prevent attacks on DNS, DNSSEC (Domain Name System Security Extensions) is made.

What Is DNSSEC?

DNSSEC (Domain Name System Security Extension) is an IETF specification (Internet Engineering Task Force) suite that helps to secure essential information provided by the DNS (Domain Name System) that are used on IP (Internet Protocols) networks. In other words, it’s an extension for DNS that helps to provide DNS clients (resolvers) DNS data in cryptographic authentication. And, to make sure that users are communicating with the website they intended to visit, with the use of a digital signature.

what is dnssec
It’s a technology that helps protect information that is on DNS (Domain Name System). The main reason behind having DNSSEC is to ensure that internet users don’t get redirected to any fraudulent IP addresses. This DNSSEC protocol protects against MITM (Man-In-The-Middle) attacks, cache poisoning, pharming, and other types of DNS attacks by verifying a cryptographic signature with the primary DNS server.

In other words, DNSSEC helps in protecting the internet users from fake DNS data with the help of public-key cryptography for signing authoritative zone data digitally whenever it comes within the system and, after signing it, validates for further destination.

Here’s How DNSSEC Works

DNSSEC works by digitally signing every DNS record. So, any tampered record can get caught. In DNSSEC, digital signatures and keys are used to create DNS records. It is then distributed further like any other records within the DNS, making backward compatibility in DNSSEC.

In DNSSEC, keys in every DNS hierarchy layer are signed with keys from the preceding layer that vouches for those records. Likewise, domain names get delegated from one layer to another. This process is known as the “chain of trust.” The process validates the digital signature along with all the records protected by DNSSEC so it can be detected if any change occurs.

how dnssec works
Put simply, the main reason behind building DNSSEC was to secure internet users from fake DNS data by verifying and embedding digital signatures within the DNS data. Whenever any user enters a domain name in their browser, the digital signature gets confirmed by the resolver. Furthermore, once the digital signature matches the data stored in the master DNS server, the data is granted access to the client’s computer by making a request.

It makes use of digital signatures and public keys for data verification. And, for doing so, it adds new records to the DNS settings, such as:

  • RRSIG – It’s responsible for holding cryptographic signatures.
  • DNSKEY – It’s used for holding public signing keys.
  • NSEC & NSEC3 – It’s used for providing denials of the existence of DNS records.
  • DS – It’s used for holding DNSKEY records hashes.
  • CDNSKEY & CDS – It facilitates requests of DS update between parent and child Zone.
Nonetheless, DNS records are given access similar to any regular DNS record (for instance, A or CNAME record), but it’s used to digitally sign a domain. Also, DNSSEC involves two other keys:
  • ZSKs (Zone-signing Keys) contain both a private key and public key portion and validate specific recordset within a Zone.
  • KSKs (Key-signing keys) – It’s used for signing DNSKEY records.
Every signed nameserver comes with one public key and one private key. Furthermore, the client requests that the data transmission is signed using a private key, and the recipient opens it using public access. If any third party tries to interfere without the public key, the recipient should know that data is a fraud. DNSSEC doesn’t have encryption algorithms. It cannot offer data confidentiality and helps the DNS server by verifying data requests authenticity.

Benefits of Enabling DNSSEC

  • It protects against online attacks like DNS spoofing attacks, cache poisoning attacks, MITM attacks, etc.
  • Increases user confidence and trust for online activities like VoIP, eCommerce, etc.

Disadvantage of Enabling DNSSEC

  • It becomes complex for both the end–client & server-side.
  • Limits support of DNS servers and TLD.
  • It’s an additional expense as you move your own DNS to a managed DNS provider for reducing its complexity.

Wrapping Up

Though DNSSEC consists of the private and public key, it’s not similar to SSL/TLS certificate. DNSSEC only allows DNS servers to identify and prevent any potential attacks like MITM. DNSSEC doesn’t address all the internet security woes, and for more comprehensive website security you should look at secure hosting providers. However, to make the directory lookup process safer, DNSSEC is very useful.