DNSSEC is a group of different protocols and specifications for adding a security layer to the Domain Name System and all its processes. From the look-ups to all the exchange of data.
Those extensions supply DNS resolvers security through authenticated denial of existence, cryptographic authentication of DNS information, and information integrity.
It was created by the Internet Engineering Task Force (IETF). Mainly because the Domain Name System’s design originally didn’t include security aspects. In the early times of its use, different vulnerabilities were detected. Then this DNSSEC was developed. Creators chose to give this system the shape of extensions to make it easier to add them to the rest of the DNS infrastructure already in use.
What is the Domain Name System (DNS)?
Let’s shortly review DNS as a context to understand the importance of DNSSEC and how exactly it works.
DNS is in charge of translating domain names we use to refer to the domains we want to visit into IP addresses, strings of numbers that computers use to communicate with each other.
Then, every time you type a domain name on your browser, this sent a query to get DNS information, the IP address associated with the requested domain. The DNS translation is done for the computers to look for it. Once the information is found, the query is responded including the needed IP address. With it, your browser can finally reach the domain you requested.
How does DNSSEC work?
DNSSEC authenticates DNS through digital signatures that work with public and private keys cryptography. DNS information is signed by its owner. The DNSSEC is present at every domain’s level (root, TLD, etc.). Through the use of two keys, one private and one public, every upper level can check the one below for verifying trustable data and for detecting and refusing untrustable data. It’s like a security chain.
When you enter a domain name in your browser, you produce a request. Then the search of DNS information to resolve the request gets triggered. When the resolver server in charge of that search gets the information, it will check the digital signature to know if it matches with the ones saved in the master DNS servers. Only in the case of a positive match will the verified IP address pass and access the computer that originated the request.
The digital signature protects you as a user to know you really are establishing communication with the website you wanted. This stops possible redirections to fraudulent destinations.
Besides, resolvers also can check if the digital signatures on the information they receive are valid. In a positive case, the information will be sent to users. If a digital signature doesn’t pass validation, the resolver will discard the information to avoid a possible attack. And the user will receive an error.
DNSSEC’s data origin authentication feature gives a chance for resolvers to cryptographically verify if the information they get really comes from the proper zone where it was originated.
And through the data integrity protection, resolvers can also check if the information suffers changes in transit, meaning after it was signed by the zone (information’s owner) with its private key.
Benefits of having DNSSEC
The security it provides makes the internet trustable.
It protects users against man-in-the-middle, spoofing, or cache poisoning attacks and avoids redirections to malicious websites. IP addresses are verified in every DNS resolution process via the digital signature, not to receive a forged IP address.
What to consider about DNSSEC?
It is not by itself a DDoS attacks’ protection.
Activating DNSSEC will add some weight to the network, causing a little delay. Your administrators will realize it, but not your users.
Security is a priority. Without DNS, your domain can’t exist online, but by itself is not safe. Activate DNSSEC to protect your domain, network, and users.