After reading this article you will be able to:
- What is DNS?
- What are DNSSEC and its relevance today?
- The DNSSEC provides two primary security features to DNS, such as:
What is DNSSEC, and why is it essential?
DNS, the acronym for Domain Name System, is a decentralized and hierarchical naming system reserved for computers and services that connect to the Internet.
Domain names information is associated with DNS. The underlying protocols for networks with which devices and services are identified and located are executed by translating domain names that humans can read, such as xyz.org, to the numerical IP address.
What is DNS?
The authorities name servers of each domain are given responsibility by DNS to assign and map IP addresses to these domains. It helps to create a fault-tolerant service that is distributed and not centrally hosted. DNS is also known to define DNS protocol, a specification of data exchanges and data structures used in the DNS.
What are DNSSEC and its relevance today?
DNS Security Extensions (DNSSEC) is a technology that protects against cache poisoning attacks. One can ensure that the DNS answer is valid by digitally 'signing' data. The cryptographic signature used in DNSSEC is similar when one signs an email using GPG. Using this method, one can rest assured of the validity of the answer and the signer's identity.
Unique records created in DNS allow clients to validate their signatures. There is no central authority for certification. Instead, parent zones are rated to provide in the delegation Certificate hash information for proof of validity.
DNS is known as the phone directory of the Internet. It tells the computer where to send and retrieve information. The problem is that DNS was created in the 1980s when the Internet was minimal. In those early days, cybersecurity was not a concern. The DNS nomenclature was such that it could accept by default any address given to it without asking any questions.
It meant a real case of cyber security threat as there was no way to check the authenticity of the request. It could only check the response from the same IP address where the original request was sent. Hence, it indicated a poor way of authenticating a speech as the source IP could be forged or spoofed. Attackers camouflage their identity using the authoritative name server. In this way, attackers can redirect a user away from where they intended to go without realizing it.
The problem further compounds when recursive resolvers cache DNS data to speed up the resolution. Now it means if the resolver on a device asks for DNS data, the recursive resolver already has it saved in its cache and can immediately answer. It is good so far as speed and efficiency are concerned. Still, the risk is when there is a cyber-attack, then forged DNS response gets accepted by resolvers who already have a poisoned cache. Thus, it means that any user who interacts with the poisoned cache will be sent fraudulent DNS data till its TTL (time to live) expires.
DNSSEC adds additional security to DNS while it continues to remain backward compatible.
Important DNSSEC record Glossary
Before understanding how DNSSEC works, it is essential to understand the DNS resource record types.
- RRSIG (resource record signature): This contains the DNSSEC signature for the record set. The DNS verifies the signature with the public key stored in the DNSSEC record.
- DNSKEY: this contains the public key used to verify DNSSEC signature
- DS (delegation signer): Contains the delegated zone name and references that DNSSEC records.
- NSEC (next secure record): this contains the link to the next record name. DNSSEC resolvers use this to verify as part of its validation.
- NSEC3 (next secure record version 3): These are similar to NSEC records, but they use cryptographically hashed record names.
How does DNSSEC work?
With DNSSSEC, an answer to a DNS request contains the RRSIG DNS record and the record type requested. This RRSIG record is a digital signature of requested DNS data. The signature is verified and located in the correct public key found in the DNSKEY. The NSEC and NSEC3 records provide cryptogenic evidence of request nonexistence.
The DS (delegation signer) authenticates the DNSKEYs through a chain of trust. NSEC and NSEC3 also provide resistance against spoofing.
The chain of trust originates with the verified public keys for the DNS root zone. The domain owners create their own private and public key pairs and upload them using the DNS control panel at the domain name registrar, pushing the keys via DNSSEC to the zone operator who signs and publishes them in the DNS. It enables the resolvers to protect themselves from caching forged or manipulated DNS data and cache poisoning.
The DNSSEC provides two primary security features to DNS, such as:
- The authenticity of Data Origination – enables the resolver to verify data came only from the requested zone cryogenically.
- Integrity protection of Data -allows the resolver to know that Data was signed by the Zone owner's private key and did not get modified while in transit.
The above two security features allow a recursive resolver to look up any data and retrieve the public key in the zone. It validates the authenticity of the data provided by DNS. The resolver confirms the digital signature matches, and if it is not valid, then it is assumed that there is a cyber-attack. The Data is discarded and returned as an error.
Additional benefits of DNSSEC
The primary task of DNSSEC is to prevent cyber-attack from DNS spoofing, where the users are re-directed to the wrong place. In addition to this, DNSSEC protects text and mail records. They are also known to bootstrap other cybersecurity systems that publish cryptogenic certificates stored in DNS like SSH fingerprints, certificate records, TLS Trust anchors, and IPSEC public keys. Unlike the SSL certificates, DNSSEC does not provide confidentiality of data as their response is authenticated but not encrypted. DNSSEC also does not protect against cyberattacks such as DDoS attacks as it cannot protect against false assumptions but can only authenticate whether the Data is actually from the domain owner or not.
DNSSEC is a fundamental part of broader Internet security whether it is widely adopted or not. It requires to be enabled by recursive resolvers and domain name owners specifically. Users can be assured that whenever they enter a domain name, they should end up at the desired destination. Hence, it is precisely what the DNSSEC does.