Now we will talk about what is the Domain Name System Security Extension (DNSSEC) and how it can protect you and your clients from DNS spoofing. If you have activated it, you can have additional verification of the DNS servers and evade “poisoned” servers who redirect your visitors to a different IP address.
DNS and DNSSEC
We have already talked about how DNS works. Briefly explained, it is a system than facilitates our lives by translating domain names to their IP addresses. This way, visitors don’t need to remember IP addresses and just write the name of the domain. In the DNS, users’ requests go through different recursive servers until it reaches the root zone where the IP addresses are stored.
But when DNS was invented, the security was not though well. In order not to change completely the system, but still secure it, the DNSSEC extension was created.
The DNS Security should not be neglected. Especially when we think about how many people connect their devices and use them on non-secured public Wi-Fi networks. Their DNS traffic could go to a poisoned DNS resolver that has modified DNS records. A modified DNS record could lead to a similar or exactly the same looking site that is there to get the person’s personal data, including bank data. The victim won’t even notice there was a problem until it is too late and all thanks to the weak DNS security that a non-DNSSEC solution offers by default.
When you apply DNSSEC for your domain, all those users who are using public Wi-Fi networks or private ones will be safe from such scams. Their web browser will recognize the DNS record that is not signed correctly with DNSSEC, and it will drop it.
The DNSSEC is proof of original and non-manipulated DNS records that secures DNS and fixes its flaws. It is cryptographically protected and secure.
What is DNSSEC?
DNSSEC is a security extension that uses a combination of public and private keys to sign data and verify the authoritative server.
DNSSEC is a cryptographic solution for domain authentication.
With it, even if a recursive server was poisoned by hackers, it won’t send the visitors to a shady website where their personal data and bank information can be stolen. The DNSSEC must be apply at each step, from root zone to the domain. The root zone will have a key for the .com and the .com will have for the EXAMPLE.com. DNSSEC is a chain of trust that needs to be verified on each point.
We have a few new types of records – RRSIG (digital signature), DNSKEY (the public key at the root), DS (delegation signer), and NSEC (like NS, it is a pointer to the next secure record).
These records are in a form of sets – RRsets (gathering of the same type of records). RRsets are used for common DNS records like A, AAA and MX too. The RRsets help to reduce the complication of verifying single records.
Zone-signing keys ZSK
There is a zone-signing key pair for each zone. The private key signs each RRset in the zone and the public verifies the signature. A zone operator must create digital signatures for each set with the private ZSK and save them in a form of RRSIG records. A public ZSK must also be added in a form of DNSKEY. When the DNSSEC resolver request a DNSKEY record, together with the RRset and RRSIG, the validation can happen.
Key-signing keys KSK
KSK validate the DNSKEY in the same way as the ZSK validated the rest of the RRsets. There is a public KSK in another DNSKEY record. The private KSK signs both the KSK and the ZSK. The resolver uses the public KSK to validate the public ZSK.
Delegation Signer Record
After the previous processes, we will have a validated zone but this trust must be transfer to the zone below it. The operator of the zone, hashes the DNSKEY record with the public KSK and gives it to the parent zone to put it as a DS record. The resolver uses this record to compare it with the one of the parent. If they match, the resolver can trust it.
As we said before, DNSSEC offers DNS security coming from top to bottom, and each level authenticates the next, assuring continuous trust on the way.
What does DNSSEC mean for the end users?
Enabling DNSSEC will guarantee that the users will access the right website, not a fake copy. It doesn’t remove the need of a SSL certificate for data encryption and further protection of users’ data, but it secures the otherwise unsecured DNS.
ClouDNS and DNSSEC
ClouDNS offers DNSSEC both for Primary and Secondary DNS for each of our paid DNS plans. The DNSSEC is compatible with non-DNSSEC resolvers too. This means that if you enable it, The DNS will continue to function without problems even if the resolver(s) doesn’t support DNSSEC. Having a secure DNS is easy.
Cons of DNSSEC
As you could guess, there are some negatives with it too. Apply it correctly will create more records. Furthermore, it will increase the size of the DNS responses.
Still we recommend the use of DNSSEC. It is not hard to apply, it will provide an extra security and save you many problems with your clients.
So a DNS security or just speed. What do you think is more important?