by Ryan Ozawa
Article filed in
What is DNSSEC?
by Ryan Ozawa
In the early days of the Internet, architects of what would become the World Wide Web were primarily concerned with connecting a global network of servers and computers and making it easier to find and retrieve information.
The Domain Name System (DNS) was set up as a global address book of sorts, and even today is how your computer finds and connects to websites. The advent of the Mail Exchange (MX) system similarly optimized how electronic mail is routed around the world.
Driven by ideals of openness and accessibility, these systems were quickly exploited by commercial interests to make money, including email spam, phishing, and hacking. It soon became necessary to build security into these foundational technologies. That’s where DNSSEC comes in.
The domain name system
First proposed in 1983, six years before the World Wide Web, DNS translates domain names like amazon.com and paubox.com into numerical Internet Protocol (IP) addresses that identify every server, computer, and device connected to the Internet. It’s much easier to remember google.com than 22.214.171.124.
DNS entries include electronic mail routing information. The problem of email spam was solved in part by tracking which IP addresses were used to send spam and blocking them, and requiring IP warming before new addresses could send email.
But more sophisticated attacks target the DNS system itself. And if the global address book of the Internet can’t be trusted, it’s impossible to know which systems you can trust.
Because computers rely on DNS to know where to find each other, hackers often target the DNS system to redirect connections to other servers. This is called DNS hijacking.
For example, you may be trying to log onto your bank’s website at paubank.com, which the DNS system will normally tell you can be found at 123.456.789. Hackers could “hijack” the DNS directory entry for paubank.com and send you to 123.456.666 instead. If the website at the other end is designed to look like your bank website, you could log in with your username and password and unknowingly compromise your security.
There are four basic types of DNS redirection attacks:
- Local: Malicious software (malware) is installed on your computer to change your DNS records and settings.
- Router: Centralized hardware in homes and businesses, which people often install without changing the factory usernames and passwords, is modified to redirect DNS lookups.
- Man-in-the-middle: Connections are intercepted between a user and a DNS server to replace correct IP addresses with IP addresses of malicious websites.
- Rogue DNS server: Setting up or taking over a DNS server to have control over the entire address book, again to direct users to malicious websites.
What is DNSSEC?
In order to restore trust in the DNS system, new systems and standards were implemented to add layers of security and authentication.
One of the organizations entrusted with establishing Internet standards is the Internet Engineering Task Force (IETF), an open, international community of network designers, operators, vendors, and researchers focused on the smooth operation and evolution of the Internet. In 1999, the IETF proposed Domain Name Security Extensions (DNSSEC) to “provide data integrity and authentication . . . through the use of cryptographic digital signatures.”
With cryptographic digital signatures, DNS servers can detect forged or manipulated DNS data, and compare the information provided against a designated authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect any data published in the DNS, including MX records.
Although DNSSEC makes the DNS system more secure, it also adds complexity to its overall operation, and it is not universally supported.
Google provides open, DNSSEC capable DNS servers via its Google Public DNS service.