How DNSSEC Works – And Why Every Organization Needs It
Domain Name System Security Extensions (DNSSEC) were developed in the 1990s as an industry response to vulnerabilities in the domain name system (DNS). When the DNS looks for an IP address i.e. from a browser-originated query, there is no assurance that the query response is authenticated. Malicious parties can forge or spoof DNS responses and misdirect internet users to fraudulent content.
DNSSEC protects brands by ensuring internet users won’t be misdirected to unauthorized online content destinations. DNS hijackers often use fraudulent websites to steal data from internet users such as banking credentials and credit card payment information. DNSSEC makes sure users arrive at their intended destination and helps protect against possible data theft.
Because DNSSEC is tied to the DNS, knowledge of one is important to understanding the other. The DNS is effectively a lookup service that directs users to the online destinations or content they seek. When users try to connect with a website, the action is made possible by DNS zone file data.
The DNS is organized into zones and uses resolvers to direct browser-based queries. To protect DNS zones, DNSSEC matches two digital keys, one public and one private, to digitally sign the authenticity of DNS data. It ensures that DNS resolvers are locating the legitimate IP destinations instead of hijacked or cache-poisoned DNS zone files.
The private key is known only to the domain owner. When DNS data is requested from the website, the private key is used to “sign” the data. The recursive DNS server compares the signature to the public key in the registry records. If the two match, the internet user receives the records that point to a host and gains access to the website. If they’re different, the records are assumed to be a forgery and the DNS data is dumped.
DNSSEC ensures that when a user enters a domain into a browser, a valid and authenticated DNS result is returned from the legitimate domain owner. Think of it like a secret handshake. If one party can’t perform it correctly, they are assumed to be an imposter. The public/private key system works similarly. Without the right signature (i.e. handshake) false websites are disregarded and never exposed on the public internet.
Hackers can (and do) go to incredible lengths to make malicious websites look authentic. With DNSSEC in place, DNS compromise is much harder to perpetrate. Most hackers search for low-hanging fruit. Once IT administrators put security measures in place, hackers often look for other, easier targets.
The global domain name system (DNS) was designed for ubiquity and the broadest usage, sacrificing many security attributes as a result. As the internet community responds with proven security measures like DNSSEC, organizations must adopt and deploy. The safety and security of their online presence, customers, and users depends on it.