DNSSEC was the DNS industry’s response to solve an inherent vulnerability in the DNS query/answer integrity gap. In this paper, we discuss:
- What is DNSSEC
- How it DNSSEC works
- What can happen without DNSSEC
- How to know if DNSSEC is working
- How to implement and manage in four steps
- Why systems automation is the only practical approach.
Learn how to protect your brand, keep your customers and audiences safe.
The Need for Comprehensive DNS Security
In a digital world, organizations and individuals rely on the internet daily for a limitless number of essential tasks. Internet users count on organizations to maintain online service availability and to protect their data privacy. Users need to be able to trust that digital brands are authentic i.e., that a brand web presence is who they say they are. Unfortunately, digital brand trust is increasingly threatened by vulnerabilities in the internet’s very foundation: The Domain Name System, or DNS.
Every single online action starts with the DNS. Whether for shopping, banking, paying a tax bill, or connecting with an enterprise service delivery system — any browsing purpose at all — the DNS directs requests to the online destinations, content and applications sought by users. The DNS is central to the internet and how it operates. It is this very criticality that has made the DNS vulnerable to abuse. Hijacking, spoofing, man-in-the middle attacks, and other threats that can disrupt an organization’s online operations with disastrous consequences for brand reputations and user security.
There are many best practice defences that infrastructure leaders need to ensure are covered when they define and implement DNS security policies to keep their networks fully operational, secure and customers safe. Those measures include the use of Domain Name System Security
Extensions (DNSSEC), Sending Policy Framework (SPF), Domain-based
Message Authentication, Reporting and Conformance (DMARC), Secondary DNS network and a security policy of HTTPS Everywhere. That policy then needs to be enforced with robust change management controls.
In this paper, we are taking a deeper dive into DNSSEC.
Domain Name System Security Extensions, or DNSSEC, helps defend against DNS security threats, specifically related to Man-In-The-Middle (MITM) and DNS Hijacks. While DNSSEC is extremely effective, many organizations have not yet adopted DNSSEC simply because it is challenging to set up and manage over the lifecycle of a domain and the larger portfolio of domains.
Traditional, manual practices for DNS management and the common practice of using multiple DNS services have made DNSSEC deployment cumbersome, inefficient, and costly. There is a solution: consolidating all domains and DNS services under a unified, automated environment can simplify and secure organizations’ at-risk internet operations.
In this guide to DNSSEC, we will explain what DNSSEC is, how it works, and why it’s important. We will also identify the obstacles to implementing DNSSEC and show how a simplified approach to DNS management makes effective deployment possible.
What is DNSSEC?
DNSSEC is a security protocol that validates DNS query responses. It protects internet users (clients) from forged DNS data in recursive servers, often referred to as DNS cache poisoning. DNSSEC uses tamper-proof, digitally signed keys to verify the authenticity of a domain’s zone files and sends internet users to the intended brand authentic destination.
Understanding what DNSSEC is requires looking at the DNS itself. The domain name system was developed in the 1980s to make the internet easier to use. It’s often described as a directory that translates the words, we type into a browser into an IP address where content is served. For example, apple.com is an easily remembered domain. The DNS translates the domain (URL) to an internet protocol (IP) address on the server(s) where Apple’s website is found – in this case, at time of writing 17.253.134.10. The DNS makes browser-based address queries significantly easier than an unwieldy list of millions of numeric IP addresses.
Ease of use and ubiquity are contributing factors to the evolving risks associated with the DNS. As the internet matured, it became apparent that there were many ways to abuse and misuse the DNS for malicious purposes. The DNS is not by design, very secure. It is a globally available list of web servers that make the internet available to all of us. For years, malicious parties have become inventively adept at compromising the DNS, by intercepting, forging and/or manipulating DNS query responses. As a result, internet users and organizations cannot always be sure that online content requested is in fact from a legitimate, authenticated source.
DNSSEC was the industry response to the authentication vulnerabilities inherent to the DNS. It was developed by the Internet Engineering Task Force (IETF) to counter the “impersonation” problems associated with the DNS. DNSSEC’s dual-encrypted signature keys ensure that the online content internet users request through their browsers returns legitimate, authenticated results from the Domain Name System. Without DNSSEC, organizations are vulnerable to their DNS systems (and customers) being compromised by way of MITM or DNS Hijacking.
How does DNSSEC work?
The DNS is organized into zones and uses resolvers to direct browser-based queries. To protect DNS zones, DNSSEC matches two digital keys, one public and one private. Together, digital signing (DS) keys validate the authenticity of DNS data. Cryptographic signatures ensure that DNS resolvers are locating the legitimate IP destinations instead of hijacked by recursive server cache poisoned DNS zone files. Keys themselves are signed as part of a digital chain of trust.
The private key is known only to the domain owner. When DNS data is requested a DSKEY is used to “sign” the data. The recursive DNS server compares the signature to the public key in the TLD registry records. If the keys match, the internet user receives the records that point to a host and gains access to the brand authentic website. If they are different, the records are assumed to be a forgery and the DNS data is dumped without being returned to the end user.