DNS is insecure, and the UDP is just about speed and zero safety. Sure, that is correct, but there are many actions that network specialists have taken during the years. One of the most important is introducing a security extension to the Domain Name System to fix its fundamental flaw. Let’s learn more about its importance in the world of the Internet.
Basics of the DNS
To fully understand the DNSSEC, we need to clearly know what the Domain Name System (DNS) does. All the sites we are visiting and messages we are sending use the DNS to translate domain names like Google.com to IP addresses like 18.104.22.168. Thanks to the DNS, all of them can reach their destination correctly.
The system is great, but it wasn’t built with security in mind. It uses authoritative name servers that store the data for the domain names and recursive name servers that search for it. Unfortunately, both authoritative servers and recursive servers can’t check if the queries come from a good source, not if the query has been altered on the way if DNSSEC is not in use.
What is DNSSEC?
DNSSEC is the set of Security Extensions that add authentication and data integrity to the DNS.
It was created by the Internet Engineering Task Force (IETF) in the 90s. Its main purpose is to provide an authentication method that proves the origin of the data by using digital signatures based on public cryptography. The data owner can sign the DNS data (DNS records) with its private key and make sure the data is safe. Each recursive server can check the data with the public key and verify its origin.
It is a full chain of trust, starting from the top, which is the root server, and going down to the exact hostname. Each zone is signed by the one above, except just the root zone, because nothing is on top of it.
If, for some reason, the data can’t be authenticated by the recursive server, it will drop it and try again. Better be safe than sorry.
What does DNSSEC do?
There are two main reasons why DNSSEC exists:
- Data authentication. Thanks to the DNSSEC mechanism, the recursive DNS servers can check the DNS data and see if it comes from the right origin. They can show the data to the DNS client. If it is not, they can drop it.
- Data integrity. The DNSSEC also provides insurance, that the data was not modified on the way. For example, passing from a server to a server, there could have been a man-in-the-middle attack, where somebody hacked the data on the way and delivered spoofed information to the DNS client. With DNSSEC, this could not happen.
Is DNSSEC the default option?
No, DNSSEC is not activated by default for your zone. You need to activate it yourself. It is not available for all of the available top-level domains (TLD), but it is getting popular with time.
The activation is not a hard process, but it might take some time depending on how many zones you have and what software do you use for your authoritative name servers. You will need access to the zone above (the TLD one) to start the chain from there. If you have access to the domain registrar where you have the domain, you can do it from there.
DNSSEC is an additional measure that DNS administrators should take. It will add extra security to the network and could help you evade many problems related to spoofed servers.