What Is DNSSEC?
Domain Name System Security Extensions, or DNSSEC, is an important security protocol that prevents internet users from being redirected to fraudulent websites and unintended addresses. Simple enough but understanding how it works calls for an overview of the DNS security and a little history lesson.
DNS: An Origin Story
Since the earliest days of the internet, Internet Protocol (IP) addresses have been used to identify where a website is hosted. Easier access to the internet called for a way to convert words into hard-to-remember IP addresses. For example, when someone types in “Apple.com,” the browser sends the user to the IP address “188.8.131.52.” Enter the DNS: a global routing directory for the internet.
The DNS is foundational to the functioning internet as we know it. Every browser click we make directs our “requests” to servers that present content and services. But it has one glaring problem: It isn’t particularly secure. Internet security experts and national cybersecurity agencies in the U.S., U.K., and Australia have been increasingly alarmed at DNS-related threats on a global scale. Hackers have found many ways to abuse and misuse the DNS, including hijacking, spoofing, cache poisoning, and related man-in-the-middle attacks. These are all variations on a theme: criminals forge or manipulate DNS look up data to route users away from legitimate online destinations to their own, malicious online content.
It’s easy to see why this is dangerous. You may think you’re surfing to and logging in to Yourbank.com, only to be intercepted and routed to a very close imitation of that website. When you enter your credentials and/or other personal details, that data is stolen by bad actors. It’s more than a distant possibility: DNS man-in-the-middle and hijacking are two of the top cyberthreats impacting government and commercial digital operations and their millions of users. The problem is so pervasive that the U.S. Department of Homeland Security and other international security agencies have issued public warnings about the threat.
The industry responded years ago to the vulnerabilities of the DNS with DNSSEC: a security protocol to verify the authenticity of the look up addresses to ensure browsers go to intended destinations.
What does DNSSEC do?
DNSSEC is a security layer enhancement to the DNS. If the DNS were a verbal agreement of trust, DNSSEC is the digital handshake to verify the trust is warranted.
Here’s how DNSSEC works: When someone types a web address into a browser, the browser does a DNS look up to find out where to take the user. There are various types of settings in the DNS that together make up what is called the domain “zone file.” DNS look up data travels to the closest DNS server to find the intended destination and then sends the browser to that IP address or server host which presents content or services. If the zone file for the domain is signed with a DNSSEC entry, DNSSEC protects the integrity of the zone file entry to ensure it is authentic.
DNSSEC first verifies that data is coming from the zone where it claims to originate. If hackers are trying to imitate a zone file, DNSSEC will identify the scheme and dump the data. Beyond that, it ensures that DNS data is not altered in transit from recursive server to recursive server. DNS data is “signed” with a signature key with a key pair known only to the DNS zone owner. If transmitted data arrives without the right key, DNSSEC recognizes that it has been altered and can’t be trusted. It’s a very clever security layer on the DNS to keep us safe and ensure we get to authentic destinations.
Why DNSSEC Matters
DNSSEC is important for one major reason: It ensures that your online destinations and content are legitimate. Without DNS Security Extensions applied, it is very difficult to authenticate DNS data that directs your traffic. Hackers can manipulate the DNS data on recursive servers to direct traffic away from an intended destination to a malicious website.
Here are three important reasons your organization must secure its external DNS with DNSSEC:
1. Preserve trust
DNS hijacking redirects traffic to sites that can enable the theft of users’ data or to infect devices with malware. It reflects badly on the targeted brand, leading to lost customer trust, subscribership and reputation − all of which impact business growth.
2. Expose fakes
Malicious websites employed in DNS-spoofing attacks can convincingly imitate the targeted victim’s legitimate site. Even the most careful internet users can find it difficult to spot the fake. Instead of putting the responsibility on users (your customers) to assure themselves of being on your website, DNSSEC does the work of identifying and exposing fakes. Your customers have granted their trust to your brand. If you compromise that trust by failing to protect them, they’ll will punish your brand with revenue churn and the loss of goodwill.
3. Defend the perimeter
DNS attacks can exploit vulnerabilities in an organization’s internal IT security policies. Hackers can use fake login sites to acquire employee login credentials. This exposes the otherwise well-defended network perimeter from the outside. By preventing DNS spoofing/cache-poisoning DNSSEC can help defend against catastrophic data breaches originating from a simple DNS compromise. This is significant, since many IT Security leaders worry less about the DNS and more about their network’s perimeter. Without adequate DNS security, perimeter security is highly vulnerable. Lax control over the DNS can permit the bad guys to gain access more easily as they bypass network security measures. It all starts with the DNS.
DNS security is critical − DNSSEC particularly so
The DNS is a complex, global ecosystem that is fundamental to the operation of the internet. Of the many security threats that put the safe operation of the DNS at risk, DNS hijacking has proven to be one of the most dangerous and pervasive. DNSSEC is a highly effective measure, when deployed correctly, to defend against DNS hijacking. Unfortunately, many organizations have failed to adopt DNSSEC, in part owing to the complex and tedious processes for managing the DNS. This leaves them without a critical layer of protection for the DNS, a key component of a comprehensive cybersecurity strategy.