DNS Isn’t Designed for Security. Due to This, DNSSEC Was Developed for Preventing Online Attacks
We are sure you know the meaning of a domain name. And, if you’re interested in learning about DNSSEC, then you might know what DNS is as well. For those who don’t, we are going to take you through a quick DNS refresher and look at what DNSSEC is.
What Is DNS?
DNS (Domain Name Server) is a type of protocol that allows Internet users to discover websites in a human-friendly way. DNS (Domain Name System) is similar to the internet’s phonebook. Users can access any website by entering human-friendly domain names in the web browser. The web browser further translates it into IP (Internet Protocol) addresses to open that website.
The internet doesn’t work the way we humans do, so to overcome this barrier, these registered domain names are further translated into a language that the internet can understand with the help of DNS. For instance, DNS takes the responsibility of translating domain names such as www.websitesecuritystore.com into a numeric IP address. This translation is done within a DNS server where all the information of the domain is stored.
Basic Understanding of How DNS Works
As mentioned earlier, DNS is often called the internet’s phonebook because of its ability to find IP addresses (which are like the home addresses of the internet). And DNS translation happens in different steps, starting from the root Zone (also called the top level of directory service).
For example, whenever someone enters any domain name in the browser, such as www.websitesecuritystore.com.
- DNS resolver asks the root Zone (directory) to look for the directory called “.com.”
- Once the “.com” directory is found, the resolver will ask the directory “.com” where to look for the directory “websitesecuritystore.com.”
- Finally, it’ll ask the directory “websitesecuritystore.com,” where it’ll get the full IP address that’s requested, which is of “www.websitesecuritystore.com.”
DNS isn’t designed with security in mind, and DNS itself isn’t secure. DNS often becomes vulnerable to online attacks. And due to this, hackers can perform DNS hijacking on any of the steps mentioned above. Fortunately, to prevent attacks on DNS, DNSSEC (Domain Name System Security Extensions) is made.
What Is DNSSEC?
DNSSEC (Domain Name System Security Extension) is an IETF specification (Internet Engineering Task Force) suite that helps to secure essential information provided by the DNS (Domain Name System) that are used on IP (Internet Protocols) networks. In other words, it’s an extension for DNS that helps to provide DNS clients (resolvers) DNS data in cryptographic authentication. And, to make sure that users are communicating with the website they intended to visit, with the use of a digital signature.
In other words, DNSSEC helps in protecting the internet users from fake DNS data with the help of public-key cryptography for signing authoritative zone data digitally whenever it comes within the system and, after signing it, validates for further destination.
Here’s How DNSSEC Works
DNSSEC works by digitally signing every DNS record. So, any tampered record can get caught. In DNSSEC, digital signatures and keys are used to create DNS records. It is then distributed further like any other records within the DNS, making backward compatibility in DNSSEC.
In DNSSEC, keys in every DNS hierarchy layer are signed with keys from the preceding layer that vouches for those records. Likewise, domain names get delegated from one layer to another. This process is known as the “chain of trust.” The process validates the digital signature along with all the records protected by DNSSEC so it can be detected if any change occurs.
It makes use of digital signatures and public keys for data verification. And, for doing so, it adds new records to the DNS settings, such as:
- RRSIG – It’s responsible for holding cryptographic signatures.
- DNSKEY – It’s used for holding public signing keys.
- NSEC & NSEC3 – It’s used for providing denials of the existence of DNS records.
- DS – It’s used for holding DNSKEY records hashes.
- CDNSKEY & CDS – It facilitates requests of DS update between parent and child Zone.
- ZSKs (Zone-signing Keys) contain both a private key and public key portion and validate specific recordset within a Zone.
- KSKs (Key-signing keys) – It’s used for signing DNSKEY records.
Benefits of Enabling DNSSEC
- It protects against online attacks like DNS spoofing attacks, cache poisoning attacks, MITM attacks, etc.
- Increases user confidence and trust for online activities like VoIP, eCommerce, etc.
Disadvantage of Enabling DNSSEC
- It becomes complex for both the end–client & server-side.
- Limits support of DNS servers and TLD.
- It’s an additional expense as you move your own DNS to a managed DNS provider for reducing its complexity.
Though DNSSEC consists of the private and public key, it’s not similar to SSL/TLS certificate. DNSSEC only allows DNS servers to identify and prevent any potential attacks like MITM. DNSSEC doesn’t address all the internet security woes, and for more comprehensive website security you should look at secure hosting providers. However, to make the directory lookup process safer, DNSSEC is very useful.