The domain name system (DNS) is like a telephone directory of the Internet, it tells the computers where to send and retrieve data or information. Without DNS, no one can use domain names like xyz.com etc. Almost every internet communication begins with DNS but unfortunately, DNS also accepts any address given to it, without even asking a single question.
This is the reason to mandate the modifications and advancements in DNS Security. Email servers utilize DNS to route their messages, which means they’re defenseless against security issues in the DNS infrastructure. Few years back, specialists at CMU observed email expected to be sent through Gmail, Hotmail, and Yahoo servers were routing rather through rogue mail servers. Attackers were misusing very old vulnerability in the DNS, it doesn’t check for accreditation before accepting an answer. That’s a serious security concern folks, what do we have now?
The latest solution to the above problem is a protocol called DNSSEC (Domain Name System Security Extensions). The Domain Name System Security Extensions adds data origin authentication and data integrity to the Domain Name System.
The necessity for improving DNS security is quiet evident as nerd attacker stands a fair chance of spoofing in customized answers as unmodified DNS depends on a sixteen bit ‘secret’ for verifying answers to the questions. Furthermore, name servers have been known to have their cache filled with rogue data.
Below is a brief introduction on DNSSEC and how it works.
DNSSEC creates a secure and protected domain name system by adding cryptographic signatures to existing DNS records. These signatures are stored in DNS name servers along with common record types like MX, CNAME, A, AAAA etc. After checking its associated signature, one can verify that the requested DNS record comes from its authoritative name server and wasn’t modified or altered on the way, opposed to a fake record injected in a man-in-the-middle attack.
DNSSEC adds following new DNS record types to facilitate signature validation:
- RRSIG – It contains the cryptographic signature.
- DNSKEY – It contains a public signing key.
- DS – It contains the hash of a DNSKEY record.
- NSEC and NSEC3 – For denial-of-existence of a DNS record explicitly.
- CDNSKEY and CDS – For a child zone asking for updates to DS record(s) in the parent zone.
Nowadays, Google is also performing DNSSEC validation on its “Public DNS” service. Google launched Public DNS service few years ago to help make the internet faster and more secure but keeping the advanced security threats in mind, they have taken major step towards security goal. Now Google fully support DNSSEC validation on their Google Public DNS resolvers.
Mr. Yunhong Gu (Team Lead for Google Public DNS) says that they (Google) now fully support DNSSEC (Domain Name System Security Extensions) validation on their Google Public DNS resolvers. Previously, they accepted formatted messages but did not perform any validation and now with this new security feature they can better protect people from DNS based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC protected domains.