This article assumes that you have gone through What is DNS and how it works? Domain Name System (DNS) is a critical element of the Internet system. In layman terms, Without DNS, there is no Internet. But Initially DNS was developed without much security in place. For instance, DNS is vulnerable to DNS Cache Poisoning (DNS Spoofing attacks); where an attacker can inject some invalid entries to the weak DNS system and this false data can be used to redirect web traffic to fake sites (Learn more about DNS Cache Poisoning and how it can affect the internet). Apart from DNS Spoofing, the DNS system is also vulnerable to DDOS and man in the middle attacks.
To solve DNS security issues, Domain Name System Security Extension (DNSSEC) was introduced. DNSSEC was not designed to end the above said attacks, but to ensure they are detectable by the end user or resolver (Security enabled resolver). It means the security aware resolver will be able to validate the response received from DNS server and identify whether the information is correct or not.
Deploying DNSSEC is not an easy job, though the implementation is. It involves zone owners such as .net, .com, .edu, .in etc.. need to implement DNSSEC for their zones. It doesn’t stop there, the various organizations, institutions, Internet Service Providers (ISPs) need to deploy DNSSEC in their own DNS servers. And finally, the end sure has to do something; update their resolvers to understand DNSSEC protocol and add some trusted keys. These trusted keys are called as anchored keys, which should be configured in resolver. If all these are done, the end user (like me and you) will be able to detect attacks.
DNSSEC provides data origin authentication and data integrity protection to DNS. It uses Public Key Cryptography like Secure Shell (SSH) and Internet Protocol Security (IPSec).
Technically DNSSEC…
DNSSEC adds cyptographic nature to the existing Domain Name System (DNS) to ensure the authenticity and integrity of the DNS response. When I told crytographic nature, it means the cryptographic signatures are published for A records in DNS. For example, RRSIG (Resource Record Signature) published for an A Record, the source organization allows the resolvers to verify that the received A record is authentic and correct.
Let me take some help from CISCO, where DNSSEC functionality was explained as below,
“A client computer with an embedded stub resolver sets the DNSSEC OK (DO) bit to 1 in outbound queries when it wants to use DNSSEC to verify the authenticity of DNS information. When a DNSSEC enabled DNS server receives a query with DO=1, it uses locally stored or received RRSIG records to cryptographically verify the authenticity of the DNS information. The verification result is communicated to the stub resolver using the Authenticated Data (AD) bit in the DNS response; where AD=1 indicates the DNS data is authentic, and AD=0 indicates that DNSSEC verification failed” – Credits : CISCO
What is the difference between DNS and DNSSEC?
As I told earlier, DNSSEC is a security extension to the existing DNS. It means, DNS can live without DNSSEC (of course, with few vulnerabilities), but DNSSEC cannot exist without DNS.
Another main difference is the size of the records. DNSSEC message sizes are larger than DNS messages (without DNSSEC enabled). Because DNSSEC will carry flags such as DO, AD and other DNSSEC related header flags.
Now, you know What is DNSSEC and why it is important to enable it on your DNS . Lets see how to deploy DNSSEC in your existing DNS system in next few days.
Wow this blog is very nice