Meta description: DNSSEC is an essential part of modern enterprise DNS security. We discuss how DNSSEC contributes to security and privacy for your business, its communications, and its customers.
What Is DNSSEC and Why Is It Important?
The Domain Name System (DNS) is responsible for converting URLs like www.example.com into IP addresses like 192.0.2.123. The routers and switches that connect computers to networks and networks to each other use IP addresses. Humans may be good at remembering words, but machines work better with numbers. Most of us never think about DNS, but we use it hundreds or thousands of times a day. The web, email, and other technologies essential to business and everyday life would stop working without it. Everyone who uses the web trusts that the IP addresses that DNS servers translate and return are accurate; if they aren’t, we can’t be sure that we are connected to the right server. Unfortunately, there are fatal flaws in the design of DNS that can be exploited by criminals to send users to servers that they control. Your customers might enter your web address, but end up on a spoofed and malware-infected site controlled by criminals. DNS Security Extensions (DNSSEC) were created to add a layer of security to DNS, in much the same way that HTTPS and TLS certificates add a layer of security to ordinary website traffic to help ensure that the content or web services being returned are authentic.
DNS Has No Built-In Security
The DNS system was designed in the early 1980s when the internet was a different place, populated largely by scientists, the military, and government agencies. The priority was to build a decentralized hierarchical address book. At the time, security was not a significant concern – something no longer true of today’s threat ridden web. When a user’s browser wants to find out the IP address associated with a URL, it sends a DNS request to a type of DNS server called a recursive resolver. These are usually managed by ISPs, but large businesses may run their own DNS resolvers. The DNS network is hierarchical, organized in layers. Let’s say the user wants to visit blog.example.com. The resolver’s attempt to discover the IP address would look like this:
- Send a request to the root domain asking for the IP address of the authoritative name servers for the .com extension.
- Ask the .com extension’s authoritative name server the IP address of the “example” domain.
- Ask the authoritative name server of example.com what the IP address of blog.example.com is.
- Return the IP for blog.example.com to the browser.
Some years after it was first deployed, serious security flaws were discovered with this system. The results of DNS queries are cached so that they can be returned quickly. If an attacker inserts false results into any DNS server’s cache — known as DNS spoofing or DNS poisoning — the server will return inaccurate results for future queries. There is no way for a recursive resolving DNS server or authoritative domain servers to know that they are getting bad information.
DNSSEC Prevents DNS Spoofing
DNSSEC is a security system that gives DNS servers the ability to verify that the information they receive is reliable. DNSSEC uses a similar public / private key cryptographic system to HTTPS, except that DNSSEC only uses the keys to sign records, not to encrypt them. The authoritative DNS records are signed by a private key which is kept secret. The signature (RRSIG) is uploaded as a special type of DNS record, as is the public key (DNSKEY). Servers that request the DNS records (RRSet), also receive the signature and the public key, and can verify that the records have been signed with the private key. If the records have been signed with the right key, it is strong evidence that they are valid. Criminals are unlikely to have access to the private key. If fake records are injected into a DNS server, they won’t have the right signature, and the server sending the request will know the records are bad. Additionally, DNS servers higher up the hierarchy are able to validate the information contained in the records of the server immediately below them. When looking up blog.webnames.ca, for example, the root domain validates .ca, which validates webnames, which validates blog in a chain of trust. In reality, DNSSEC is more complex than the sketch I have outlined here, but you should now have a good understanding of what DNSSEC is and why it is an important contributor to the security of your business and its customers.
DNSSEC and Your Business
Given the security a validated IP address provides, why aren’t more businesses using DNSSEC? Unfortunately, awareness of DNSSEC and DNS is still lacking. While some government agencies and financial institutions now require DNSSEC to be implemented on domain names, the MUSH sector (municipalities, universities, schools, hospitals), ISPs, and ecommerce retailers still lag behind. Businesses that want to ensure the integrity of their domains should prioritize DNSSEC and choose a DNS hosting provider that takes security seriously.