What Are DNS Security Extensions (DNSSEC)?

The Domain Name System (DNS) is a critical component in internet communication that matches a friendly domain name such as "yourdomaincom" with its corresponding IP address A critical flaw was found in the DNS protocol in 2008 that allowed an …

The Domain Name System (DNS) is a critical component in internet communication that matches a friendly domain name such as “yourdomain.com” with its corresponding IP address. A critical flaw was found in the DNS protocol in 2008 that allowed an attacker to poison cache results on DNS resolver servers and redirect users to a malicious website. This attack was successful because the DNS protocol does not require any authentication or security validation. However, a new technology called DNSSEC adds a security layer to DNS queries to protect users from phishing attacks using DNS vulnerabilities.

How Does DNS Cache Poisoning Work?

The main purpose of DNSSEC is to stop DNS cache poisoning, also called DNS spoofing. The Internet has thousands of DNS resolvers that answer user queries requesting IP addresses for a given domain. Resolvers communicate with authoritative nameservers to get domain IP addresses and cache them. Cached results make it faster for users to receive responses from their DNS queries.

The issue with this system is that there is no validation for responses from an authoritative nameserver. An attacker can pretend to be an authoritative response and force the resolver server to cache malicious results. In a DNS poisoning attack, the attacker will tell the resolver to cache a malicious IP and link it to a legitimate domain. The domain owner has no control over the issue, and most cache poisoning attacks use an attacker-controlled site that looks significantly similar to the official site.

Attackers can successfully poison resolver servers because the entire DNS interaction between servers uses the UDP protocol. The UDP protocol has no handshake like the TCP protocol used to connect to an HTTP website.  UDP is a “set it and forget it” protocol that sends and receives messages without any authentication or sender and receiver verification.

A DNS poisoning attack is not easy, so it’s a sophisticated way for an attacker to exploit the vulnerability. The resolver server does make legitimate requests to the authoritative server, and the authoritative server sends legitimate responses. An attacker only has a few milliseconds to send the fraudulent reply to the resolver before it receives a legitimate response.

Several other issues make this attack difficult:

• Attackers must know which DNS queries aren’t cached by the resolver to identify a soon-to-happen DNS query that can be poisoned.

• The port used for queries must be known. Older protocol rules specified the same port, but newer standards randomize the port. This means attackers must “guess” the right port, but only a limited number of ports are available for DNS queries.

• Every request is given an identification value. The attacker must “guess” the identification value to ensure that poisoned results are cached.

• An attacker must know the authoritative server used to query DNS results.

This attack is a critical issue because users have no way of knowing that they are accessing a malicious site. A sophisticated attack uses the legitimate site’s images, layout, colors, and text. It’s virtually impossible to notice a phishing website using this method of attack. Some attackers even have SSL/TLS certificates to make the site look more legitimate. Any user who falls for this phishing attack could send an attacker their financial data, personal information, or user credentials.

Because phishing attacks are especially effective using DNS cache poisoning, DNSSEC was established and quickly rolled out to defend against them. DNS is a critical part of Internet infrastructure, so the attack could affect small and large businesses. It was considered a critical issue that must be remediated quickly and without affecting the way legacy and new servers interact with each other and users.

How DNSSEC Solves the Problem of DNS Cache Poisoning

DNSSEC works similarly to SSL/TLS and HTTPS connections. In these security technologies, digital signatures and public/private key encryption are used to protect servers. DNSSEC uses a key signing process from the root server to the nameserver hosting the domain’s IP address. There are only 13 root servers located across the globe, which are maintained by trusted authorities. Before signatures and keys are distributed, Internet Assigned Numbers Authority (IANA) reviews them and assigns them to the domain’s nameserver. IANA is the only trusted root key manager currently to approve requests.

How DNSSEC Solves the Problem of DNS Cache Poisoning

Digital signatures are stored on nameservers alongside other common DNS records such as A, AAAA, MX, and CNAME. Public keys are used to verify digital signatures to ensure that the record is valid. The DNS resolver verifies the legitimacy of a query result using the public key to then verify the signature of the private key passed down by the root server. The chain of events is invisible to the user, so all this activity happens in the background when users access their favorite domain.

Not Every Device Supports DNSSEC

Backwards compatibility is necessary to allow for legacy hardware to still work with DNS resolvers. It’s not uncommon for users to have older routers in their homes, so DNSSEC is not adopted everywhere. It takes time for new technology to advance to people who do not upgrade their hardware, so DNSSEC is still not implemented on every network.

Some organizations forward DNS queries to an authoritative DNS provider such as Google. Adoption for DNSSEC continues to grow, but it has not been completely implemented due to difficulties. The first difficulty is that administrators must understand DNSSEC and know how to implement it. The second is a lack of resources for smaller organizations. For individuals, it seems unnecessary to go out and buy a new router or other device to support technology that they don’t understand.

Conclusion

Phishing attacks aren’t always via email. They can also be used in DNS cache poisoning attacks. It’s important that organizations understand the issues with DNS and take the necessary steps to protect users. DNSSEC adds a layer of cybersecurity to browser requests and protects users from possible phishing attacks.

Your internet service provider might already use DNSSEC, but private organizations could have unique setups that use older strategies. Using DNSSEC, you protect your domain from being used in sophisticated phishing attacks. It protects not only users, but also protects employees from being the targets of phishing.

Wordpress Hosting

Experience the difference with the fastest WordPress hosting platform.

Elastic Hosting

A flexible managed hosting solution that will grow with you and your needs grow.

Cloud Servers

Your dedicated cloud servers that are managed by us or managed by you.

Made InCanada
Made by Canadians,
for Canadians

Never worry about compliance again. Our servers are hosted directly on Canadian soil, and support is given by a 100% Canadian team.

We Start,
Where Others Stop.

If you've been burned by terrible hosting services before, we get you. We want every client to feel important and fully taken care of, and we'll spend the time it takes to solve any problem that arises.

Trusted by Clients Across All Industries

Don't take our word for it - let our happy clients do the talking. See More

Full Host did an amazing job of migrating my site seamlessly onto their server. My only regret was not switching my site over to them sooner. Now it is performing great, images are uploading way faster than ever before.

" Vancouver Sofa and Patio - Jerry Schmidt

Two thumbs up for Fullhost! Agents reply to me fairly quickly or at least let me know they received the ticket and are looking into it. Kudos to the support team as they have always given me exactly what I need without delays.

" Universal Staffing Inc. - Anthony Calvano

FullHost is an absolute pleasure to work with, and their customer service is exceptional. Whenever I have questions or need adjustments, they are there to help, quickly, efficiently, with answers and insights.

" Mooseworld Inc. Norine Leibel

With coast to coast coverage,
We help you serve the world.

Whether your audience is located in Europe, Asia, Africa, or Australia, provide them with lightening speed!

FullHost's data centers are located in Toronto and Vancouver to ensure worldwide quality and speed.

Get in Touch
We Trust Only The Best Tech to Support You

FullHost operates with the most innovative technology to bring you unparalleled levels of hosting services.