DNSSEC是域名系统(DNS)的一项功能,用于验证对域名查找的响应。它可以防止攻击者操纵或毒害对DNS请求的响应。DNS技术的设计没有考虑到安全性。对DNS基础架构的攻击的一个示例是DNS欺骗。在这种情况下,攻击者会劫持DNS解析程序的缓存,导致访问网站的用户接收到错误的IP地址,并查看攻击者的恶意站点,而不是他们想要的站点。
当您激活DNSSEC时,我们将为您的区域生成公钥和私钥。公钥以DS或DNSKEY记录的形式提供给您。应在注册域名的域提供商处配置记录。在我们的网络中部署您的区域期间,我们将使用私钥对您的所有记录进行签名。如果这些签名与公钥匹配,最终用户解析程序将接收并检查这些签名,并且解析程序将能够验证这些记录在网络传输期间未被操纵。
The main purpose of DNSSEC is to keep the users safe. That happens after the user types the domain name in the browser and the resolver verifies the digital signature. Only when the digital signatures in the data and those in the Primary DNS server match the information can reach the user's device. That way, it guarantees that the user is connecting with the legitimate website. DNSSEC implements a combination of digital signatures and public keys to validate the information, and it adds new records to the existing DNS records. DNSKEY and RRSIG digitally "sign" the DNS data using a public-key cryptography technique. They stick to the other popular records, like A, CNAME, and MX.
The name server holds the public and private keys for each DNS zone. So, when a user makes a query, the server provides the information signed with its private key. Then the recipient has to open it with the public key. That way, if the information is modified and misleading, it won't open correctly with the public key. As a result, the recipient is going to receive an error message.
DNSSEC管理服务是我们DNS托管套餐(Premium DNS, DDoS Protected DNS, and GeoDNS)的一部分,您不需要为了更好的安全性而产生额外的成本!
|
Premium S $2.95/月 |
Premium M $4.95/月 |
Premium L $14.95/月 |
|
|---|---|---|---|
| ? 使用DNSSEC的托管Anycast DNS: | |||
| ? DNS域: | 5 | 50 | 400 |
| ? DNS记录: | 200 | 2,000 | 20,000 |
| ? 每月的DNS查询: | i 5M | i 200M | 无限 |
| ? 邮件转发: | 10 | 100 | 1,000 |
| ? DNS故障转移检查: | 1 | 2 | 3 |
| 完全免费试用。不需要信用卡。没有小把戏。 |
只需单击控制面板中的激活按钮,我们的系统就会保护该区域。只需在提供程序中添加DS记录,即可完成安装。
我们对所有签名使用椭圆曲线算法(ECDSA P-256),该算法比标准RSA密钥更强、更小。
保持DNS答案尽可能小意味着更快的速度!此外,我们的Anycast DNS网络可以从距离解析器最近的位置提供更快速的响应。
无论哪一天,无论何时,我们都能提供连续不间断的网络监控和支持。 我们的技术支持团队通过实时聊天和工单为您提供24/7在线服务。您可以免费迁移您的区域,在这里了解更多.
To activate DNSSEC signing and obtain the domain DS records and DNSKEY records, you need to process the following steps:
Optional: For additional details and guidance about DNSSEC implementation, refer to the ClouDNS DNSSEC wiki page.
When you want to connect to a particular website, your browser should get the corresponding IP address. Unfortunately, there is a chance an attacker to intercept your DNS queries and place fake information. As a result, your browser will connect to a forged website where you could potentially enter personal information, like bank details.
Thanks to DNSSEC, there is an additional level of security, and your browser is able to check if the DNS data is actually correct and not changed. In addition, DNSSEC is used not only for the web but also by any other Internet service or protocol, for instance, SMTP and Voice-over- IP (VoIP).
DNSSEC验证是一个简单的过程,包括以下步骤: