DNS and How It Works – Part 2

Domain Name Systems Security Extensions are known as a set of Internet Engineering Task Force (IETF) standards which are created to address vulnerabilities in the Domain Name System (DNS) and help prevent it from online threats.

DNSSEC’s main goal is to strengthen trust on the Internet by helping to protect users from redirection to fraudulent websites and unintended addresses. This helps prevent malicious activities such as pharming, man-in-the-middle attacks and cache poisoning.

Its first purpose was to protect all internet users from counterfeit DNS data by verifying digital signatures embedded in the data and when someone enters the domain name into a browser, the resolver verifies such digital signature. Once there is a match from those stored in the master DNS servers, it can access the client computer that make the request.

To facilitate signature validation, DNSSEC adds a few new DNS record types such as

  • RRSIG – Contains a cryptographic signature
  • DNSKEY – Contains a public signing key
  • DS – Contains the hash of a DNSKEY record
  • NSEC and NSEC3 – For explicit denial-of-existence of a DNS record
  • CDNSKEY and CDS – For a child zone requesting updates to DS record(s) in the parent zone.

These new records are used to digitally sign a domain using a method known as public key cryptography. A signed nameserver has both a public and private key for each zone. When a request is made, it sends data signed with its private key and the recipient then unlocks it with the public key. If a third party or an attacker tries to send untrustworthy information, it won’t unlock properly with the public key and the recipient will know the information is bogus.

DNS, which was designed in the 1980s when threats model was different from today was not optimized for authenticity or integrity but for fast query/response times. Trust was implied where legitimate queries and replies were expected. If the trust model was attacked you can change the way information was found and exchanged online.  There was no consideration for strong security mechanisms in the protocol.

These factors added to the vulnerability of DNS and in 1993 the IETF began discussions on how to help DNS to become trustworthy. DNSSEC a set of extensions was found and implemented in 2005 but to present it is still far from mainstream adoption globally.

It is recommended that DNSSEC continue to be used and allow all users to become aware of its existence through greater advertising as it helps to reduce vulnerabilities.

© All rights reserved. No part of this publication may be reproduced without written permission from Social People.