The creation of the Domain Name System (DNS) was key to the Internet’s evolution and growth. It was created in 1983 and by 1986 it became an Internet standard. It came to life for making easier the use of the Internet. Thanks to DNS, users could use easy and memorable names to request their favorite domains, instead of typing hard strings of numbers (IP addresses) for the same purpose.
Currently, knowing the security threats that Internet can mean, it can be hard to believe that security for the DNS to operate was not a primary priority when it was designed. But almost four decades ago, the network of networks was quite smaller. Developers of course forecasted its growth, but it happened very fast. And with its success, the need of making it secure arose.
What is DNSSEC?
Domain name system security extensions or DNSSEC is a set of protocols used to protect the security of the DNS and offer a cryptographic solution for authenticating domains. Together, these protocols build a security layer to make lookups and communication (exchange) processes safe for Internet users.
DNSSEC verifies data and the authoritative server through a system that includes public and keys.
For being effective, DNSSEC must be used at every level, from the very root zone to the domain. Then, the verification process will work this way: the root will use the key to verify the .com level. After this one will use its key to verify the domain level. It works in a sort of trust chain, meaning verification at every single level.
For instance, the answers from DNSSEC protected zones are digitally signed to ensure that applications using DNS don’t get altered DNS data. Through this signature, a DNS resolver can verify if the data match the one published by the owner of the zone and included on a DNS authoritative server. Via this process, it can be detected if the data is altered or incomplete.
In case a recursive server gets poisoned by hackers, with DNSSEC enabled, it won’t pass the verification process. Therefore, this recursive won’t send the users to a dangerous website as hackers commonly plan, to get their sensitive data.
Pros of DNSSEC
- It protects users from being redirected to forged (scam) websites.
- It can prevent DNS cache poisoning, man-in-the-middle attacks, and pharming.
- It allows the installation of other security systems like IPSec public keys, certificate records, SSH fingerprints, etc.
Cons of DNSSEC
- It can slow your system.
- It doesn’t offer confidentiality for data because its answers are not encrypted. The protection includes just the keys system we have described to execute its verification process.
- By itself, DNSSEC doesn’t mean enough protection against DDoS attacks.
DNSSEC is a good step for you to protect your users and the trustability of your domain. You can always complement its lacks with alternative technologies. But be sure that it is a good idea to enable DNSSEC.