DNSSEC (Domain Name Systems Security Extensions) is a set of protocols added to the DNS protocol to enhance security. It serves the following main functions –
- Authenticates and certifies that the DNS data has originated from where it claims to have come from (authoritative source).
- Checks to ensure DNS data/responses are not modified on the way.
- When there is no data for a query, authoritative info can be provided to prove the same.
As you may know, DNS system is similar to address/phone numbers, and it helps locate a particular system/website in a vast network. DNS servers can be public (ISP, Google DNS, etc.) or private (owned by a company). Roughly, there are three building blocks of a DNS system – The client, Recursive (intermediate) DNS server, Authoritative DNS server.
DNS was initially built to scale and hence it doesn’t verify the info it gets from upstream sources. Due to this, in a few cases, it was possible for attackers to intercept DNS communications and redirect traffic to systems controlled by them. Imagine what would happen if a bank’s website traffic is redirected to a server controlled by the attacker that served identical web-pages? Since DNS servers remember the routes, once a route is hijacked, the same route is advertised to other clients too, complicating the issue.
To prevent these and other DNS threats, DNSSEC extensions were proposed and has been implemented in major root servers (.com, .org, etc.), DNS provider softwares like BIND, Microsoft AD, etc., and even client systems like PCs.
The authenticity of information is checked by signing zones using Public/Private Key Encryption. To ensure it is implemented effectively, all the nodes from the client to the root DNS server should support DNSSEC.
This is the reason why your DNS Server and your Clients/PCs ought to support DNSSEC, and why you should enable it.
Sources/Further Information: DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks (F5); Microsoft Technet Overview of DNSSEC.
You could stay up to date on Computer Networking/IT Technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’.