Almost every transaction on the Internet requires DNS. DNS is a service that allows textual addresses – which can easily be remembered by humans – to be paired up with the IP addresses that facilitate connection and communication between computers on the Internet. When the user types in the address of a web page their computer sends a query to the DNS containing the requested domain name, and in response the DNS returns an IP address.
DNS is one of the oldest protocols on the Internet and was not designed to be secure. If someone malicious manages to intercept communication with the DNS server they can return a response (the wrong IP address) which will redirect users to a fake website. The consequences may not be pleasant for users.
This is not just fiction – it happens every day, all over the world. Lately, more than half of all cyber attacks are related to the abuse of the DNS and its use for criminal acts or censorship of content.
How is it possible?
The scenario goes like this: The user enters the address of the website, such as a bank or online store, and waits for DNS to “translate” the address provided into a corresponding IP address, so that the user’s device is able to connect to the desired online service.
In that very short interval, while the user’s device is waiting for the DNS response, the DNS server’s actual response is altered by the attacker. On the screen the user sees a web page that is identical to the one requested, but they are actually at the wrong address and are connected to a computer controlled by the attacker. Everything that the user enters – username, password, credit card number, personal data, etc. – is now visible to the attacker and can be misused.
Then, how can we trust the DNS at all? Is there a way for the user to determine whether the DNS response they have received is spoofed or legitimate? The answer is “yes” – DNSSEC.
What is DNSSEC?
DNSSEC (DNS Security Extension) is a technology which provides mechanisms for protection against modification of DNS responses and redirection of the users to online locations which are potentially harmful in terms of theft of personal data, credit card numbers or confidential commercial information, or where false information and news are served up, supposedly from “verified” sources trusted by the user.
Of course, nobody wants visitors of their website or their email messages end up in the hands of fraudsters. So if you are a domain name registrant, think about implementing DNSSEC, protect your own data and that of your users, and preserve your reputation intact and prevent possible financial loss.
Verification of the DNS response is done using PKI (Public Key Infrastructure), and a DNS server with DNSSEC signature validation enabled will only accept a responses signed with an appropriate cryptographic key. Modern cryptographic algorithms provide sufficient guarantee that the only valid DNS response originates from a server that is authoritative for the given domain name and that the response cannot be changed en route to the user.
In order for DNSSEC to perform its role, two equally important prerequisites must be met:
- The domain name must be DNSSEC-signed
- Internet users must use DNS servers with DNSSEC validation enabled
DNSSEC signature of domain names
Although the process of signing domain names is still not an easy task, a lot has been done in recent years to automate it. Some hosting and DNS providers offer the service as standard offer, and there are also accredited RNIDS registrars that have implemented DNSSEC and offer it to their users.
Whether you want to perform DNSSEC domain name signing on your own or on some other DNS server, you need to enter information on the DNSSEC key which will be used to sign the domain name into the RNIDS database via your accredited registrar. RNIDS will accept the proper DS (Delegation Signer) record which looks like the one in the diagram.
The following is entered into the RNIDS database via the accredited registrar:
- Key tag (KSK ID)
- Algorithm (the algorithm used to create the DNSSEC recordset)
- Digest type (the algorithm used to create the Digest)
- Digest (hash of the DNSSEC key)
Who do you apply to to get your domain name DNSSEC-signed?
DNSSEC signing of a domain name can be done on your own infrastructure, or via a DNS provider who provides this service. This could be your accredited registrar, your Internet or hosting provider, or you can use the services of commercial or free DNS providers.
If you do not have your own DNS server, check with the accredited registrar with whom the domain name is registered whether they provide DNSSEC domain name signing, or whether they are planning to offer this option in the near future. Not all accredited registrars are ready to provide DNSSSEC domain signing service, but all of them can forward your DNSSEC data to RNIDS.
Ask around to find out who provides DNSSEC signing service and get your domain name signed. DNSSEC domain name signingdoes not cost much, and in some cases is even free. In the end, it will certainly help you to maintain your online reputation and ensure your users can use your service securely.
What should Internet users do?
For Internet users to ensure they are completely protected against manipulation of DNS responses and from threats of being connected to sites and services controlled by cyber criminals, they should use DNS resolvers that validate DNSSSEC signatures.
Responsible administrators of corporate systems and ISP providers will have active DNSSEC validation on the servers that provide services to their users. Also, all the leading public DNS servers (Google, PCH, Cloudflare, Cisco) verify the validity of DNS responses for DNSSEC-signed domain names and do not return an IP address if the signature is not valid. For those domain names that are not DNSSEC signed, resolution is carried out without validation, but such domains carry the real possibility of their visitors ending up at locations controlled by cyber criminals.
DNSSEC is an important element in increasing security on the Internet, and regardless of whether you are just a user of the Internet or you run an online service, you should take advantage of the benefits it brings. To begin with, at the following link res-check.dnssec.rs everyone can check whether their DNS resolvers validate DNSSEC signatures.