The Domain Name System Security Extensions, also known as DNSSEC or DNS Security Extensions, is a particular set of Internet Engineering Task Force (IETF) specifications for protecting and securing specified types of information provided by Domain Name System (DNS) employed on Internet Protocol (IP) networks.
DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data. It will provide origin authentication of DNS data, authenticated denial of existence and data integrity.
Generally speaking, the DNSSEC authenticates DNS by using specific digital signatures on public-key cryptography. Implementing DNSSEC makes it possible to sign the DNS data itself by its owner, rather than singing the DNS queries and responses. DNSSEC responses are authenticated, not encrypted.
To have a clear understanding of what DNSSEC is and why it is important, it is necessary to be more familiar with DNS.
What Is DNS?
The Domain Name System (DNS) is a hierarchical and decentralized naming system for various resources (services, computers) connected to the Internet. DNS is directly related to domain names and translates human-readable domain names (like arvancloud.ir) to the numerical IP addresses to locate and identify services/devices with the network protocols.
DNS is responsible for the authoritative name servers of domains and can assign and map them to IP addresses. DNS will create a distributed and vital service that is not centrally hosted. DNS has also been used for the specification of data structures and data exchanges in DNS protocols.
Read also: What is DNS? How does it work?
How Does DNS Work?
Internet activities are depending on DNS functioning correctly. DNS will translate the domain names to IP addresses used by servers, routers, and any other network devices.
When a user/visitor enters a domain name, for example, arvancloud.ir in the browser, it will use the stub resolver, an essential part of the operating system, to translate the domain name into a specific IP address. Stub resolver relays many requests for DNS data to the more complex recursive resolver used by many networks.
Now that the recursive resolver has the request, it will send its DNS request to various authoritative name servers. The domain’s DNS data is stored on name servers on the Internet. It is more common to outsource this task to a third-party like a web hosting company, cloud hosting organization, or Internet service provider.
DNS Zone
DNS hierarchical architecture contains many different zones. Each of these zones is responsible for a specific area in the DNS namespace. A determined administrator manages these zones. DNS zones have control over DNS components. In fact, the domain namespace contains a DNS root domain that manages all the existing DNS zones. Each zone starts at this structure and can extend into subdomains. DNS zones can be associated with more than one domain name, DNS server, and subdomains.
DNS Information
The specific records stored in the DNS database are commonly the Start of Authority (SOA), IP addresses, SMTP mail exchanges (MX), name servers, pointers for reverse DNS lookup (PTR), and domain name aliases (ANAME).
What Is DNSSEC?
DNSSEC is a set of special protocols that add a security layer to the Domain Name System (DNS) lookup and exchange processes. It becomes integral in accessing websites on the Internet. DNSSEC is not capable of protecting how data is distributed or who accesses it. DNSSEC authenticates the origin of data sent from a DNS server, verifies its integrity, and evaluates nonexistent DNS data.
Why IS DNSSEC Important?
DNS is considered an Internet phone book, and it will tell the computer where to send or receive data. DNS cannot authenticate and evaluate the addresses, and that means weakness for cyber attacks.
When a recursive resolver sends a request to a name server, the resolver can only check if the response comes from the same IP address as the original request. Since the IP can be forged/spoofed, this authentication method is faulty. It will make it possible for attackers to redirect users away from their intended destination without them knowing.
When the recursive resolvers cache DNS data, it already has the data cached/saved, and the resolution will speed up. The requests won’t be sent to the name server. But the problem here is that if attackers forge DNS responses, which are also acceptable by the recursive resolver, the situation is called DNS Cache Poisoning. So, any user interacting with that resolver will be sent fraudulent DNS data until the TTL (time-to-live) expires. DNSSEC is a try of adding an additional security layer to DNS.
DNSSEC Resource Key Components
Before highlighting how DNSSEC works, it is important to know about the DNS resource records types implemented for DNSSEC usage:
- RRSIG: Resource record signature includes the DNSSEC signature for a record set. The signature will be verified by a DNS resolver using a public key stored in the DNSKEY record.
- DNSKEY: It contains the public key.
- DS: Delegation signer has the name of a delegated zone. It references a DNSKEY record in the sub-delegated zone.
- NSEC: Next secure record includes a line to the next record name in the zone. DNS resolver uses NSEC records to verify the non-existence of a record name.
- NSEC3: NeXt secure record version 3 contains links to the next record name in the zone (in hash naming order) and lists the record types.
- NSEC3PARAM: Next secure record version 3 parameters are used by Authoritative DNS servers to determine which NSEC3 records must be included in the responses to DNSSEC requests for non-existing names/types.
How Does DNSSEC Work?
While using a DNSSEC, each answer to a DNS request contains an RRSIG record and record type. This digital signature will be verified by locating the correct public key. The NSEC and NSEC3 will then provide cryptographic evidence of the non-existence of any request and robust resistance against spoofing. (Authenticated Denial of Existence) the DS uses a chain of thrust to authenticate the DNSKEY.
To be more specific, the domain owners create their own public/private key pair and upload them using their DNS control panel. It will push the keys with secDNS to the zone operator, sign and publish them in the DNS. This will prevent any caching forged/manipulated DNS data and cache poisoning.
To top it all, DNSSEC offers two security layer for DNS:
- Data Origin Authentication: This will make it possible for resolvers to verify data from the zone requested cryptographically.
- Data Integrity Protection: This will allow a resolver to specify that the data hasn’t been modified and signed by the zone owner’s private key.
DNSSEC Protection
- DNSSEC’s mission is to strengthen trust in the Internet, protecting users from redirection to fraudulent websites and unintended addresses. It will prevent malicious activities like cache poisoning, pharming, and man-in-the-middle attacks.
- It will prevent cyber threats of DNS spoofing, which will redirect users to other destinations.
- It will offer additional security for text records (TXT) and mail records.
- It is used to bootstrap cybersecurity systems such as certificate records, SSH fingerprints, IPSec public key, and TLS trust anchors.
- It will prevent third-parties from forge records and authenticate the domain’s identity by preventing DNS cache poisoning and false zones.
DNSSEC Advantages
- DNSSEC will protect a brand and its customers.
- It will help mitigate risks.
- It brings Internet trust and loyalty to customers.
- It will attract and retain security-focused customers.
- It will enhance the trust and reputation of a brand/business.
Final Thoughts
Now, we must all agree that DNSSEC is an essential part of Intent security, which needs to be implemented by recursive resolvers and domain name owners. DNSSEC is there to ensure that they will be directed to the exact destinations when users type a domain name.
If you are a newly startup owner or a reputed business/brand employing a trustworthy DNS Hosting solution such as ArvanCloud Cloud DNS Hosting will help you build and robust your reputation and authority by being at the forefront of Internet security and care about protecting your customers.