DNSSEC – What is it? Why is it so important?

reconnaissance

SecurityTrails Blog · Oct 04 · SecurityTrails team

The Domain Name System (DNS) is one of the most popular Internet services in use, and at the same time, it’s among the most complex. Without DNS we couldn’t resolve hostnames into IP addresses. Domains themselves are hugely popular as well, as anyone can register a domain name to start an online business.

When the DNS system was created in the early 1980s, it wasn’t designed as a secure protocol. There wasn’t any critical knowledge to apply regarding public key cryptography, or any other security mechanisms as we know them today. The Internet had only recently been born, networks had a limited number of users and the DNS protocol was working exactly as expected.

As decades passed, the Internet grew tremendously. With more users and more servers, encryption evolved significantly and the DNS system began to reflect a cruel reality: it was no longer a simple protocol used by a small network. It was used by millions of servers and was not, unfortunately, as secure as it should be.

In previous posts, we’ve talked about how to prevent DNS attacks, mentioning DNSSEC as one way to improve DNS security. Today we’ll dig deeper into this specific technology, to learn more about it, its implementation, benefits and current adoption.

What is DNSSEC?

Beginning in 1993, the IETF started thinking about ways to make the DNS system more robust and secure. And one of the proposed ways to harden the DNS system was to use DNSSEC.

DNSSEC (Domain Name System Security Extensions) was introduced more than ten years later in 2005 as a new way to improve DNS security.

Whether you have a small business website or a high-traffic portal, you will always be exposed to online attacks — especially to the ones originating from the DNS servers that we all use, day by day.

DNS vulnerabilities have been present in all DNS systems for decades, and one of the most common problems Internet users face is being exposed to potential DNS attacks that allow crackers to redirect traffic to their own servers instead of displaying a website’s original content.

How does it work?

The traditional DNS system works by using unencrypted data for DNS records, and that’s one of the things that DNSSEC is designed to fix.

DNSSEC signs all the data sent on DNS records so resolvers can verify its authenticity. This ensures you are connecting to the DNS records that belong to the real domain name you are trying to reach, instead of a hijacked one.

This security validation mechanism works by utilizing PKI authentication (public key infrastructure) and using two cryptographic keys, one public and one private. DNS records are signed with the private key, and their signature is published in what is called RRSIG, which stands for Resource Record Digital Signature.

Thanks to the RRSIG and the private key sent along with DNS records, each client is able to validate the authenticity of the DNS records received by comparing the data received with the domain’s public key stored in the DNSKEY DNS record.

Slow adoption

While DNSSEC is a good way to prevent many types of attacks, and despite several critical CVEs reported (one of the most famous is Dan Kaminsky’s cache poisoning attack, also known as the “Kaminsky bug”), its adoption statistics show that it is still not supported by many registrars around the world, and its adoption is really slow.

Fig. 01. DNSSEC Adoption. Courtesy of APNIC Lab Fig. 01. DNSSEC Validation Rate by Country. Courtesy of APNIC Lab

Many ISPs and key players in the infosec community still have doubts about DNSSEC being the right tool to secure the entire DNS ecosystem, due to the complex changes it involves for both registrars and DNS server providers.

Do I really need DNSSEC?

If you are running a standard DNS server such as Bind, without any kind of DNS record validation, the chances that you are exposed to DNS attacks run pretty high. Anyone could trick you and redirect your DNS records wherever they want.

Whether you have a small business website or a high-traffic portal, you will always be exposed to online attacks — especially to the ones originating from the DNS servers that we all use, day by day.

DNS attacks threaten you with downtime and losing customers or important SEO rankings. The most typical attacks affecting websites without DNSSEC include but are not limited to DNS hijacking and DNS spoofing.

Nowadays everybody needs DNSSEC. Assuming you’ve made up your mind to activate it, let’s see how it can be enabled for your domain name and DNS server.

How can I enable DNSSEC?

Unfortunately, enabling DNSSEC is not as simple as you think, as most registrars still do not support this validation technology for their domain names.

In order to have DNSSEC enabled, registrars must have this technology enabled not only in their domain name infrastructure, but on the DNS server as well.

Some registrars support DNSSEC only when they act as the DNS server, and some others support both internal and external name servers.

Also preventing users from activating DNSSEC is the fact that not all TLDs are supported by some registrars.

ICANN has an updated list of domain registrars who support DNSSEC, which includes some popular providers along with the supported TLDs. If you are using one of the registrars listed you will surely be able to secure your DNS records with DNSSEC.

One of the easiest and fastest ways to enable DNSSEC is by using Cloudflare.

Cloudflare makes the complex DNSSEC activation process really easy, with no technical knowledge required to get it rolling:

  • Grab a free account at cloudflare.com
  • Add your domain name.
  • Click on the DNS tab.
  • Scroll down until you see the “Enable DNSSEC” button.
  • Copy the DS records and introduce that information in your domain registrar, as you see below:

cloudflare dnssec activation

DS records Cloudflare

More information about how to activate and use DNSSEC with Cloudflare can be found in their help docs.

Summary

As you can see, DNSSEC is one of the leading technologies available to protect your domain names and DNS security. Unfortunately, as its adoption is really slow, we’ll have to wait a couple of years to see a true domain security environment across all major registrars. In the meantime, our suggested way to enable DNSSEC is by using Cloudflare, which makes the entire activation process pretty easy.


To learn more about gathering domain and DNS intelligence to protect your online companies, begin by auditing your sites and online applications using our SecurityTrails toolkit providing manual tests to help you. Sign up for your free API key today!